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Foreword 



This translation has been made based on the original Japanese Industrial Standard 
revised by the Minister of Health, Labour and Welfare and the Minister of Economy, 
Trade and Industry through deliberations at the Japanese Industrial Standards 
Committee as the result of proposal for revision of Japanese Industrial Standard 
submitted by The Japan Machinery Federation (JMF) with the draft being attached, 
based on the provision of Article 12 Clause 1 of the Industrial Standardization Law 
applicable to the case of revision by the provision of Article 14. 

Consequently JIS B 9705-1:2000 is replaced with this Standard. 

This JIS document is protected by the Copyright Law. 

Attention is drawn to the possibility that some parts of this Standard may conflict 
with a patent right, application for a patent after opening to the public or utility 
model right which have technical properties. The relevant Ministers and the Japanese 
Industrial Standards Committee are not responsible for identifying the patent right, 
application for a patent after opening to the public or utility model right which have 
the said technical properties. 
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JAPANESE INDUSTRIAL STANDARD JIS B 9705-1 : 2011 

(ISO 13849-1 : 2006) 

Safety of machinery— Safety-related 

parts of control systems- 
Part 1: General principles for design 



Introduction 

This Japanese Industrial Standard has been prepared based on the second edition 
of ISO 13849-1 published in 2006 without modifying the technical contents. 

The portions with dotted underlines are the matters not given in the correspond- 
ing International Standard. 

The structure of safety standards in the field of machinery is as follows as stated 
in JIS B 9700-1. 

Type-A standards (basis standards) give basic concepts, principles for design and 
general aspects that can be applied to machinery. 

Type-B standards (generic safety standards) deal with one or more safety aspect(s), 
or one or more type(s) of safeguards that can be used across a wide range of machinery: 

— Type-Bl standards on particular safety aspects (e.g. safety distances, surface 
temperature, noise); 

— Type-B2 standards on safeguards (e.g. two-hand controls, interlocking devices, 
pressure sensitive devices, guards). 

Type-C standards (machinery safety standards) deal with detailed safety require- 
ments for a particular machine or group of machines. 

JIS B 9705-1 is a Type-B- 1 standard as stated in JIS B 9700-1. 

When provisions of a Type-C standard are different from those which are stated in 
Type-A or Type-B standards, the provisions of the Type-C standard take precedence 
over the provisions of the other standards for machines that have been designed and 
built according to the provisions of the Type-C standard. 

JIS B 9705-1 is intended to give guidance to those involved in the design and as- 
sessment of control systems, and to those developing Type-B2 or Type-C standards. 

As part of the overall risk reduction strategy at a machine, a designer will often 
choose to achieve some measure of risk reduction through the application of safeguards 
employing one or more safety functions. 

Parts of machinery control systems that are assigned to provide safety functions 
and called safety-related parts of control systems (SRP/CS) and these can consist of 
hardware and software and can either be separate from the machine control system 
or an integral part of it. In addition to providing safety functions, SRP/CS can also 
provide operational functions (e.g. two-handed controls as a means of process initia- 
tion). 

The ability of safety-related parts of control systems to perform a safety function 
under foreseeable conditions is allocated one of five levels, called performance levels 
(PL). These performance levels are defined in terms of probability of dangerous fail- 
ure per hour (see table 3). 
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The probability of dangerous failure of the safety function depends on several fac- 
tors, including hardware and software structure, the extent of fault detection mecha- 
nisms [diagnostic coverage (DC)], reliability of components [mean time of dangerous 
failure (MTTFa), common cause failure (CCF)], design process, operating stress, envi- 
ronmental conditions and operation procedures. 

In order to assist the designer and help facilitate the assessment of achieved PL, 
this Standard employs a methodology based on the categorization of structures according 
to specific design criteria and specified behaviours under fault conditions. These cat- 
egories are allocated one of five levels, termed Categories B, 1, 2, 3 and 4. 

The performance levels and categories can be applied to safety-related parts of con- 
trol systems, such as 

— protective devices (e.g. two-hand control devices, interlocking devices), electro- 
sensitive protective devices (e.g. photoelectric barriers), pressure sensitive devices, 

— control units (e.g. a logic unit for control functions, data processing, monitoring, 
etc.), and 

— power control elements (e.g. relays, valves, etc.), 

as well as to control systems carrying out safety functions at all kinds of machinery — 
from simple (e.g. small kitchen machines, or automatic doors and gates) to manufac- 
turing installations (e.g. packaging machines, printing machines, presses). 

This Standard is intended to provide a clear basis upon which the design and per- 
formance of any application of the SRP/CS (and the machine) can be assessed, for 
example, by a third party, in-house or by an independent test house. 

JIS B 9961 and this Standard specify requirements for the design and implemen- 
tation of safety-related control systems of machinery. The use of either of these Stan- 
dards, in accordance with their scopes, can be presumed to fulfil the relevant essential 
safety requirements. The following table summarizes the scopes of JIS B 9961 and 
this Standard. 



PROTECTED BY COPYRIGHT 



B 9705-1 : 2011 (ISO 13849-1 : 2006) 



Table 1 Recommended application of JIS B 9961 and JIS B 9705-1 



Technology implementing the 
safety-related control funetion(s) 


JIS B 9705-1 


JIS B 9961 


A 


No n -electrical, e.g. hydraulics 


X 


Not covered 


B 


Electromechanical, e.g. relays, 
and/or non complex electronics 


Restricted to designated 
architectures a ' and up to PL = e 


All architectures and up to 
SIL3 


C 


Complex electronics, e.g. 
programmable 


Restricted to designated 
architectures aj and up to PL = d 


All architectures and up to 
SIL3 


D 


A combined with B 


Restricted to designated 
architectures a> and up to PL = e 


X c) 


E 


C combined with B 


Restricted to designated 
architectures a> and up to PL- d 


All architectures and up to 
SIL3 


F 


C combined with A, or C 
combined with A and B 


X b) 


X c) 


X indicates that this item is dealt with by the Standard shown in the column heading. 


Notes a) Designated architectures are defined in 0.2 in order to give a simplified approach for 
quantification of performance level. 

h) For complex electronics: use designated architectures according to this Standard up to 
PL = d or any architecture according to JIS B 9961. 

c) For non-electrical technology, use parts in accordance with this Standard as subsystems. 



1 Scope 

This Standard provides safety requirements and guidance on the principles for the 
design and integration of safety-related parts of control systems (SRP/CS), including 
the design of software. For these parts of SRP/CS, it specifies characteristics that in- 
clude the performance level required for carrying out safety functions. It applies to 
SRP/CS, regardless of the type of technology and energy used (electrical, hydraulic, 
pneumatic, mechanical, etc.), for all kinds of machinery. 

It does not specify the safety functions or performance levels that are to be used in 
a particular case. 

This Standard provides specific requirements for SRP/CS using programmable elec- 
tronic system(s). 

It does not give specific requirements for the design of products which are parts of 
SRP/CS. Nevertheless, the principles given, such as categories or performance levels, 
can be used. 

NOTE 1 Examples of products which are parts of SRP/CS: relays, solenoid valves, 
position switches, PLCs (programmable logic controllers), motor control 
units, two-hand control devices, pressure sensitive equipment. For the 
design of such products, it is important to refer to the specifically ap- 
plicable Standards, e.g. JIS B 9712, JIS B 9717-1 and ISO 13856-2. 

NOTE 2 For the definition of required performance level, see 3.1.24. 
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NOTE 3 The requirements provided in this Standard for programmable electronic 
systems are compatible with the methodology for the design and de- 
velopment of safety-related electrical, electronic and programmable 
electronic control systems for machinery given in JIS B 9961. 

NOTE 4 For safety-related embedded software for components with PL r =e see 
IEC 61508-3, clause 7. 

NOTE 5 See also table 1. 

NOTE 6 The International Standard corresponding to this Standard and the 
symbol of degree of correspondence are as follows. 

ISO 13849-1:2006 Safety of machinery — Safety -related parts of control 
systems — Part 1: General principles for design (IDT) 

In addition, symbols which denote the degree of correspondence in 
the contents between the relevant International Standard and JIS are 
IDT (identical), MOD (modified), and NEQ (not equivalent) according 
to ISO/IEC Guide 21-1. 

2 Normative references 

The following standards contain provisions which, through reference in this text, 
constitute provisions of this Standard. The most recent editions (including amendments) 
indicated below shall be applied. 

JIS B 9700-1 Safety of machinery— Basic concepts, general principles for design — 
Part 1: Basic terminology, methodology 

NOTE : Corresponding International Standard: ISO 12100-1 Safety of machin- 
eV y — Basic concepts, general principles for design — Part 1: Basic termi- 
nology, methodology (IDT) 

JIS B 9700-2 Safety of machinery — Basic concepts, general principles for design — 
Part 2: Technical principles 

NOTE : Corresponding International Standard: ISO 12100-2 Safety of machin- 
ery — Basic concepts, general principles for design- — Part 2: Technical 
principles (IDT) 

JIS B 9702 Safety of machinery — Principles of risk assessment 

NOTE : Corresponding International Standard: ISO 14121 Safety of machin- 
ery — Principles of risk assessment (IDT) 

ISO 13849-2 Safety of machinery — Safety -related parts of control systems — Part 2: 
Validation 

IEC 60050-191 International Electrotechnical Vocabulary. Chapter 191: Dependabil- 
ity and quality of service, Amd. 1:1999 and Amd. 2:2002 

IEC 61508-3 Functional safety of electrical I electronic I programmable electronic 
safety -related systems — Part 3: Software requirements and Corr.l: 
1999 

IEC 61508-4 Functional safety of electrical I electronic I programmable electronic 
safety -related systems- — Part 4: Definitions and abbreviations and 
Corr.l: 1999 
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3 Terms, definitions, symbols and abbreviated terms 

3.1 Terms and definitions 

For the purposes of this document, the terms and definitions given in JIS B 9700-1 
and IEC £0050-191 and the following apply. 

3.1.1 safety-related part of a control system, SRP/CS 

part of a control system that responds to safety-related input signals and generates 
safety-related output signals 

NOTE 1 The combined safety-related parts of a control system start at the point 
where the safety-related input signals are initiated (including, for ex- 
ample, the actuating cam and the roller of the position switch) and end 
at the output of the power control elements (including, for example, the 
main contacts of a contactor). 

NOTE 2 If monitoring systems are used for diagnostics, they are also considered 
as SRP/CS. 

3.1.2 category 

classification of the safety-related parts of a control system in respect of their resis- 
tance to faults and their subsequent behaviour in the fault condition, and which is 
achieved by the structural arrangement of the parts, fault detection and/or by their 
reliability 

3.1.3 fault 

state of an item characterized by the inability to perform a required function , exclud- 
ing the inability during preventive maintenance or other planned actions, or due to 
lack of external resources 

NOTE 1 A fault is often the result of a failure of the item itself, but may exist 
without prior failure. 

(See IEC 60050-191, 05-01.) 

NOTE 2 In this Standard, "fault" means random fault. 

.NOTE_3j;Fa^ 

9700-1 which has the same meaning as "SYOGAP defined in this Stan- 
dard. "HUGUAP is mainly used for machineries. 

3.1.4 failure 

termination of the ability of an item to perform a required function 

NOTE 1 After a failure, the item has a fault. 

NOTE 2 "Failure" is an event, as distinguished from "fault", which is a state. 

NOTE 3 The concept as defined does not apply to items consisting of software only. 
(See IEC 60050-191, 04-01.) 

NOTE 4 Failures which only affect the availability of the process under control 
are outside of the scope of this Standard. 
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3.1.5 dangerous failure 

failure which has the potential to put the SRP/CS in a hazardous or fail-to-function 
state 

NOTE : Whether or not the potential is realized can depend on the channel ar- 
chitecture of the system; in redundant systems a dangerous hardware 
failure is less likely to lead to the overall dangerous or fail-to-function 
state. 

(Adapted from IEC 61508-4, definition 3.6.7.) 

3.1.6 common cause failure, CCF 

failures of different items, resulting from a single event, where these failures are not 
consequences of each other 

(See IEC 60050-191 Amd.l, 04-23.) 

NOTE : Common cause failures should not be confused with common mode fail- 
ures. 

3.1.7 systematic failure 

failure related in a deterministic way to a certain cause, which can only be eliminated 
by a modification of the design or of the manufacturing process, operational procedures, 
documentation or other relevant factors 

NOTE 1 Corrective maintenance without modification will usually not eliminate 
the failure cause. 

NOTE 2 A systematic failure can be induced by simulating the failure cause. 

(See IEC 60050-191, 04-19.) 

NOTE 3 Examples of causes of systematic failures include human error in 

— the safety requirements specification, 

— the design, manufacture, installation, operation of the hardware, and 

— the design, implementation, etc., of the software. 

3.1.8 muting 

temporary automatic suspension of a safety function(s) by the SRP/CS 

3.1*9 manual reset 

function within the SRP/CS used to restore manually one or more safety functions before 
re-starting a machine 

3.1.10 harm 

physical injury or damage to health 

(See JIS B 9700-1, 3.5.) 

3.1.11 hazard 

potential source of harm 
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NOTE 1 A hazard can be qualified in order to define its origin (e.g. mechanical 
hazard, electrical hazard) or the nature of the potential harm (e.g. electric 
shock hazard, cutting hazard, toxic hazard, fire hazard). 

NOTE 2 The hazard envisaged in this definition: 

— either is permanently present during the intended use of the machine 
(e.g. motion of hazardous moving elements, electric arc during a weld- 
ing phase, unhealthy posture, noise emission, high temperature); 

— or may appear unexpectedly (e.g. explosion, crushing hazard as a 
consequence of an unintended/unexpected start-up, ejection as a con- 
sequence of a breakage, fall as a consequence of acceleration/decel- 
eration). 

(See JIS B 9700-1, 3.6.) 

3.1.12 hazardous situation 

circumstance in which a person is exposed to at least one hazard, the exposure hav- 
ing immediately or over a long period of time the potential to result in harm 

(See JIS B 9700-1, 3.9.) 

3.1.13 risk 

combination of the probability of occurrence of harm and the severity of that harm 
(See JIS B 9700-1,3.11.) 

3.1.14 residual risk 

risk remaining after protective measures have been taken 
See figure 2. 
(Adapted from JIS B 9700-1, definition 3.12.) 

3.1.15 risk assessment 

overall process comprising risk analysis and risk evaluation 
(See JIS B 9700-1, 3.13.) 

3.1.16 risk analysis 

combination of the specification of the limits of the machine, hazard identification and 
risk estimation 

(See JIS B 9700-1, 3.14.) 

3.1.17 risk evaluation 

judgement, on the basis ofri.sk analysis, of whether risk reduction objectives have been 
achieved 

(See JIS B 9700-1, 3.16;) 

3.1.18 intended use of a machine 

use of the machine in accordance with the information provided in the instructions for 
use 

(See JIS B 9700-1, 3.22.) 
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3.1.19 reasonably foreseeable misuse 

use of a machine in a way not intended by the designer, but which may result from 
readily predictable human behaviour 

(See JIS B 9700-1, 3.23.) 

3.1.20 safety function 

function of the machine whose failure can result in an immediate increase of the risk(s) 
(See JIS B 9700-1, 3.28.) 

3.1.21 monitoring 

safety function which ensures that a protective measure is initiated if the ability of a 
component or an element to perform its function is diminished or if the process condi- 
tions are changed in such a way that a decrease of the amount of risk reduction is 
generated 

3.1.22 programmable electronic system, PES 

system for control, protection or monitoring dependent for its operation on one or more 
programmable electronic devices, including all elements of the system such as power 
supplies, sensors and other input devices, contactors and other output devices 

(Adapted from IEC 61508-4, definition 3.3,2.) 

3.1.23 performance level, PL 

discrete level used to specify the ability of safety-related parts of control systems to 
perform a safety function under foreseeable conditions 

NOTE : See 4.5-1. 

3.1.24 required performance level, PL r 

performance level (PL) applied in order to achieve the required risk reduction for each 
safety function 

See figures 2 and A.l. 

3.1.25 mean time to dangerous failure, MTTFd 
expectation of the mean time to dangerous failure 

(Adapted from JIS B 9961, definition 3,2.34.) 

3.1.26 diagnostic coverage, DC 

measure of the effectiveness of diagnostics, which may be determined as the ratio 
between the failure rate of detected dangerous failures and the failure rate of total 
dangerous failures 

NOTE : Diagnostic coverage can exist for the whole or parts of a safety-related 
system. For example, diagnostic coverage could exist for sensors and/or 
logic system and/or final elements. 

(Adapted from IEC 61508-4, definition 3.8.6.) 
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3.1.27 protective measure 

measure intended to achieve risk reduction 

Example 1 Implemented by the designer: inherent design, safeguarding and comple- 
mentary protective measures , information for use. 

Example 2 Implemented by the user: organization (safe working procedures, su- 
pervision, permit-to-work systems), provision and use of additional safe- 
guards, personal protective equipment, training. 

(Adapted from JIS B 9700-1, definition 3.18.) 

3.1.28 mission time, T M 

period of time covering the intended use of an SRP/CS 

3.1/29 test rate, n 

frequency of automatic tests to detect faults in an SRP/CS , reciprocal value of diag- 
nostic test interval 

3.1.30 demand rate, r d 

frequency of demands for a safety-related action of the SRP/CS 

3.1.31 repair rate, r r 

reciprocal value of the period of time between detection of a dangerous failure by either 
an online test or obvious malfunction of the system and the restart of operation after 
repair or system/component replacement 

NOTE : The repair time does not include the span of time needed for failure- 
detection. 

3.1.32 machine control system 

system which responds to input signals from parts of machine elements, operators, 
external control equipment or any combination of these and generates output signals 
causing the machine to behave in the intended manner 

NOTE : The machine control system can use any technology or any combination 
of different technologies (e.g. electrical/electronic, hydraulic, pneumatic, 
mechanical). 

3.1.33 safety integrity level, SIL 

discrete level (one out of a possible four) for specifying the safety integrity requirements 
of the safety functions to be allocated to the E/E/PE (electric/electronic/programmable 
electronic) safety-related systems, where safety integrity level 4 (SIL4) has the high- 
est level of safety integrity and safety integrity level 1 (SIL1) has the lowest 

(See IEC 61508-4, 3.5.6.) 

3.1.34 limited variability language, LVL 

type of language that provides the capability of combining predefined, application- 
specific library functions to implement the safety requirements specifications 

(Adapted from IEC 61511-1, definition 3.2.81.1.2.) 
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NOTE 1 Typical examples of LVL (ladder logic, function block diagram) are given 
in JIS B 3503. 

NOTE 2 A typical example of a system using LVL: PLC. 

3.1.35 full variability language, FVL 

type of language that provides the capability of implementing a wide variety of func- 
tions and applications 

Example : C, C ++ , Assembler. 

(Adapted from IEC 61511-1, definition 3.2.81.1.3.) 

NOTE 1 A typical example of systems using FVL: embedded systems. 

NOTE 2 In the field of machinery, FVL is found in embedded software and rarely 
in application software. 

3.1.36 application software 

software specific to the application, implemented by the machine manufacturer, and 
generally containing logic sequences, limits and expressions that control the appropriate 
inputs, outputs, calculations and decisions necessary to meet the SRP/CS requirements 

3.1.37 embedded software, firmware, system software 

software that is part of the system supplied by the control manufacturer and which is 
not accessible for modification by the user of the machinery 

NOTE : Embedded software is usually written in FVL. 

3.2 Symbols and abbreviated terms 

See table 2. 

Table 2 Symbols and abbreviated terms 



Symbol or 
abbreviation 


Description 


Definition or 
occurrence 


a, b, c, d, e 


Denotation of performance levels 


Table 3 


AOPD 


Active optoelectronic protective device (e.g. light barrier) 


Annex H 


B, 1, 2, 3, 4 


Denotation of categories 


Table 7 


B ion 


Number of cycles until 10 % of the components fail dangerously 
(for pneumatic and electromechanical components) 


Annex C 


Cat. 


Category 


3.1.2 


CC 


Current converter 


Annex I 


CCF 


Common cause failure 


3.1.6 


DC 


Diagnostic coverage 


3.1.26 


DC av g 


Average diagnostic coverage 


E.2 


F, Fl, ¥2 


Frequency and/or time of exposure to the hazard 


A.2.2 


FB 


Function block 


4.6.3 


FVL 


Full variability language 


3.1.35 


FMEA 


Failure modes and effects analysis 


7.2 
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Table 2 (concluded) 



Symbol or 
abbreviation 


Description 


Definition or 
occurrence 


I, 11, 12 


Input device, e.g. sensor 


6.2 


hi 


Index for counting 


Annex D 


I/O 


Inputs/outputs 


Table E.l 


'-ab, *-bc 


Interconnecting means 


Figure 4 


K1A, KIB 


Contactors 


Annex I 


L, LI, 1,2 


Logic 


6.2 


LVL 


Limited variability language 


3.1.34 


M 


Motor 


Annex I 


MTTF 


Mean time to failure 


Annex C 


MTTFj 


Mean time to dangerous failure 


3.1.25 


n, N y N 


Number of items 


6.3, D,l 


Ah™ 


Number of SRP/CS with PW in a combination of SRP/CS 


6.3 


O r 01, 02, OTE 


Output device, e.g. actuator 


6.2 


P, PI, P2 


Possibility of avoiding the hazard 


A.2.3 


PES 


Programmable electronic system 


3.1.22 


PL 


Performance level 


3.1.23 


PLC 


Programmable logic controller 


Annex I 


PLi ow 


Lowest performance level of an SRP/CS in a combination of 
SRP/CS 


6.3 


PL,. 


Required performance level 


3.1.24 


n 


Demand rate 


3.1.30 


RS 


Rotation sensor 


Annex I 


S, SI, S2 


Severity of injury 


A.2.1 


SW1A, SW1B, SW2 


Position switches 


Annex I 


STL 


Safety integrity level 


Table 4 


SRASW 


Safety-related application software 


4.6.3 


SRESW 


Safety-related embedded software 


4.6.2 


SRP 


Safety-related part 


General 


SRP/CS 


Safety-related part of a control system 


3.1.1 


TE 


Test equipment 


6.2 


Tm 


Mission time 


3.1.28 



4 Design considerations 

4.1 Safety objectives in design 

The SRP/CS shall be designed and constructed so that the principles of JIS B 9700-1 
and JIS B 9702 are fully taken into account (see figures 1 and 3). All intended use 
and reasonable foreseeable misuse shall be considered. 
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Note ai Refers to this Standard, figure 3. 

Figure 1 Overview of risk assessment/risk reduction 
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4.2 Strategy for risk reduction 

4.2.1 General 

The strategy for risk reduction at the machine is given in JIS B 9700-1, clause 5, 
and further guidance is given in JIS B 9700-2, clauses 4 and 5. This strategy covers 
the whole life cycle of the machine. 

The hazard analysis and risk reduction process for a machine requires that haz- 
ards are eliminated or reduced through a hierarchy of measures: 

— hazard elimination or risk reduction by design (see JIS B 9700-2 , clause 4); 

— risk reduction by safeguarding and possibly complementary protective measures 
(see JIS B 9700-2, clause 5); 

— risk reduction by the provision of information for use about the residual risk (see 
JIS B 9700-2, clause 6). 

4.2.2 Contribution to the risk reduction by the control system 

The purpose in following the overall design procedure for the machine is to achieve 
the safety objectives (see 4.1). The design of the SRP/CS to provide the required risk 
reduction is an integral subset of the overall design procedure for the machine. The 
SRP/CS provides safety function(s) at a PL which achieves the required risk reduction. 
In providing safety function(s), either as an inherently safe part of the design or as a 
control for a safeguard or protective device, the design of the SRP/CS is a part of the 
strategy for risk reduction. This is an iterative process and is illustrated in figures 1 
and 3. 

For each safety function, the characteristics (see clause 5) and the required perfor- 
mance level shall be specified and documented in the safety requirements specifica- 
tion. 

In this Standard the performance levels are defined in terms of probability of dan- 
gerous failure per hour. Five performance levels (a to e) are set out, with defined ranges 
of probability of a dangerous failure per hour (see table 3). 

Table 3 Performance levels (PL) 



PL 


Average probability of dangerous failure per hour (PFHd) [1/h] 


a 


10^PFHd<10 4 


b 


3xlO-*sPtfffd<10- 5 


c 


10- e s J PFHd<3x lO" 6 


d 


10- 7 sPFffd<10' 6 


e 


10-**PFHd<lQ- 7 


NOTE : Besides the average probability of dangerous failure per hour 
other measures are also necessary to achieve the PL. 



From the risk assessment (see JIS B 9702) at the machine, the designer shall decide 
the contribution to the reduction of risk which needs to be provided by each relevant 
safety function which is carried out by the SRP/CS(s). This contribution does not cover 
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the overall risk of the machinery under control, e.g. not the overall risk of a mechani- 
cal press, or washing machine is considered, but that part of risk reduced by the ap- 
plication of particular safet}^ functions. Examples of such functions are the stopping 
function initiated by using an electro-sensitive protective device on a press or the door- 
locking function of a washing machine. 

Risk reduction can be achieved by applying various protective measures (both 
SRP/CS and non SRP/CS) with the end result of achieving a safe condition (see fig- 
ure 2). 
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for a specific hazardous situation, the risk before protective measures are applied 

risk reduction required from protective measures 

actual risk reduction achieved with protective measures 

solution 1 —important part of risk reduction due to protective measures other than SRP/CS 

(e.g. mechanical measures), small part of risk reduction due to SRP/CS 

2 solution 2 — important part of risk reduction due to the SRP/CS (e.g. light curtain), small part 
of risk reduction due to protective measures other than SRP/CS (e.g. mechanical measures) 

3 adequately reduced risk 

4 inadequately reduced risk 
R risk 

a residual risk obtained by solutions 1 and 2 

b adequately reduced risk 

RIsrp/cs, R2 srp/cs risk reduction from the safety function carried out by the SRP/CS 

RIm, R2m risk reduction from protective measures other than SRP/CS (e.g. mechanical measures) 

NOTE : See JIS B 9700 series for further information on risk reduction. 

Figure 2 Overview of the risk reduction process for each hazardous 
situation 
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- From figure 1 

Does the protective '"*•-,. Yes 
measure selected depend on .,.-■" 
' • -.. a control system? ,..■■•" 



For each 
selected 
safety 
function 



Identify the safety functions to be 
performed by SRP/CSs 



For each safety function specify the 
required characteristics (see clause 5) 



Determine the required performance 
level PL r (see 4,3 and Annex A) 



Design and technical realisation 

of the safety function: 

Identify the safety -related parts which 

carry out the safety function (see 4.4) 



Evaluate the performance level PL (see 4.5) 
considering: 

— category (see clause 6) 

— MTTFd (see Annexes C and D) 

— DC (see Annex E) 

— CCF (see Annex F) 

— if existing: software (see 4.6 and Annex J) 
of the above safety- related parts 




No 



To figure 1. 
Are other hazards 
... generated? .... 



Note a) ISO 13849-2 provides additional help for the validation. 



Figure 3 Iterative process for design of safety-related parts of 
control systems (SRP/CS) 
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4.3 Determination of required performance level (PL r ) 

For each selected safety function to be carried out by an SRP/CS, a required per- 
formance level (PL r ) shall be determined and documented (see Annex A for guidance 
on determining PL r ). The determination of the required performance level is the re- 
sult of the risk assessment and refers to the amount of the risk reduction to be car- 
ried out by the safety-related parts of the control system (see figure 2). 

The greater the amount of risk reduction required to be provided by the SRP/CS, 
the higher the PL r shall be. 

4.4 Design of SRP/CS 

Part of the risk reduction process is to determine the safety functions of the ma- 
chine. This will, include the safety functions of the control, system, e.g. prevention of 
unexpected start-up. 

A safety function may be implemented by one or more SRP/CS, and several safety 
functions may share one or more SRP/CS [e.g. a logic unit, power control element(s)]. 
It is also possible that one SRP/CS implements safety functions and standard control 
functions. The designer may use any of the technologies available, singly or in com- 
bination. SRP/CS may also provide an operational function (e.g. an AOPD as a means 
of cycle initiation). 

A typical safety function diagrammatic presentation is given in figure 4 showing a 
combination of safety-related parts of control systems (SRP/CS) for 

— input (SRP/CSa), 

— logic/processing (SRP/CSb), 

— output/power control elements (SRP/CS C ), and 

— interconnecting means (t a t>, i\x) (e.g. electrical, optical). 

NOTE 1 Within the same machinery it is important to distinguish between dif- 
ferent safety functions and their related SRP/CS carrying out a certain 
safety function. 

Having identified the safety functions of the control system, the designer shall iden- 
tify the SRP/CS (see figures 1 and 3) and, where necessary, shall assign them to input, 
logic and output and, in the case of redundancy, the individual channels, and then 
evaluate the performance level PL (see figure 3). 

NOTE 2 Designated architectures are given in clause 6. 

NOTE 3 All interconnecting means are included in the safety-related parts. 
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SRP/CSa 



*ab 



SRP/CSb 



l be 



SRP/CS C 



O 



Key 

input 

logic 
O output 

initiation event (e.g. manual actuation of a push button, opening of guard, interruption of beam 

of AOPD) 

machine actuator (e.g. motor brakes) 

gure 4 Diagrammatic presentation of combination of safety-related 

parts of control systems for processing typical safety function 



4.5 Evaluation of the achieved performance level PL and relationship with 
SIL 

4.5.1 Performance level PL 

For the purposes of this Standard, the ability of safety-related parts to perform a 
safety function is expressed through the determination of the performance level. 

For each selected SRP/CS and/or for the combination of SRP/CS that performs a 
safety function the estimation of PL shall be done. 

The PL of the SRP/CS shall be determined by the estimation of the following as- 
pects: 

— the MTTF d value for single components (see Annexes C and D); 

— the DC (see Annex E); 

— the CCF (see Annex F); 

— the structure (see clause 6); 

— the behaviour of the safety function under fault condition(s) (see clause 6); 

— safety-related software (see 4.6 and Annex J); 

— systematic failure (see Annex G); 

— the ability to perform a safety function under expected environmental conditions. 

NOTE 1 Other parameters, e.g. operational aspects, demand rate, test rate, can 
have certain influence. 

These aspects can be grouped under two approaches in relation to the evaluation 
process: 

a) quantifiable aspects (MTTF d value for single components, DC, CCF, structure); 
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b) non-quantifiable, qualitative aspects which affect the behaviour of the SRP/CS 
(behaviour of the safety function under fault conditions, safety-related software, 
systematic failure and environmental conditions). 

Among the quantifiable aspects, the contribution of reliability (e.g. MTTF d , struc- 
ture) can. vary with the technology used. For example, it is possible (within certain 
limits) for a single channel of safety-related parts of high reliability in one technology 
to provide the same or higher PL as a fault-tolerant structure of low reliability in 
another technology. 

There are several methods for estimating the quantifiable aspects of the PL for any 
type of system (e.g. a complex structure), for example, Markov modelling, generalized 
stochastic petri nets (GSPN), reliability block diagrams (see, e.g. IEC 61508 series). 

To make the assessment of the quantifiable aspects of the PL easier, this Standard 
provides a simplified method based on the definition of five designated architectures 
that fulfil specific design criteria and behaviour under a fault condition (see 4,5,4). 

For an SRP/CS or combination of SRP/CS designed according to the requirements 
given in clause 6, the average probability of a dangerous failure could be estimated 
by means of figure 5 and the procedure given in Annexes A to H, J and K. 

For an SRP/CS which deviates from the designated architectures, a detailed calcu- 
lation shall be provided to demonstrate the achievement of the required performance 
level (PL r ). 

In applications where the SRP/CS can be considered simple, and the required per- 
formance level is a to c, a qualitative estimation of the PL may be justified in the design 
rationale. 

NOTE 2 For the design of complex control systems, such as PES designed to per- 
form safety functions, the application of other standards can be appro- 
priate (e.g. IEC 61508 series, JIS B 9961 or JIS B 9704 series). 

The achievement of qualitative aspects of the PL can be demonstrated by the ap- 
plication of the recommended measures given in 4.6 and Annex G. 

In standards in accordance with IEC 61508 series, the ability of safety-related con- 
trol systems to perform a safety function is given through a SIL. Table 4 displays the 
relationship between the two concepts (PLs and SILs). 

PLa has no correspondence on the SIL scale and is mainly used to reduce the risk 
of slight, normally reversible, injury. Since SIL4 is dedicated to catastrophic events 
possible in the process industry, this range is not relevant for risks at machines. Thus 
PLe corresponding to SIL3 is defined as the highest level. 
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Table 4 Relationship between performance level (PL) and safety 
integrity level (SIL) 



PL 


SIL 
high/continuous mode of operation 


a 


No correspondence 


b 


1 


c 


1 


d 


2 


e 


3 



Therefore, protective measures to reduce the risk shall be applied, principally the 
following. 

— Reduce the probability of faults at the component level. The aim is to reduce the 
probability of faults or failures which affect the safety function. This can be done 
by increasing the reliability of components, e.g. by selection of well-tried compo- 
nents and/or applying well-tried safety principles, in order to minimize or exclude 
critical faults or failures (see ISO 13849-2). 

— Improve the structure of the SRP/CS. The aim is to avoid the dangerous effect of 
a fault. Some faults may be detected and a redundant and/or monitored structure 
could be needed. 

Both measures can be applied separately or in combination. With some technolo- 
gies, risk reduction can be achieved by selecting reliable components and by fault ex- 
clusions; but with other technologies, risk reduction could require a redundant and/or 
monitored system. In. addition, common cause failures (CCF) shall be taken into ac- 
count (see figure 3). 

For architectural constraints, see clause 6. 

4.5.2 Mean time to dangerous failure of each channel (MTTF d ) 

The value of the MTTFd of each channel is given in three levels (see table 5) and 
shall be taken into account for each channel (e.g. single channel, each channel of a re- 
dundant system) individually. 

According to MTTFd, a maximum value of 100 years can be taken into account. 
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Table 5 Mean time to dangerous failure of each channel (MTTFd) 



MTTFa 
Denotation of each channel Range of each channel 


Low 


3 years s= MTTFd < 10 years 


Medium 


10 years < MTTFa < 30 years 


High 


30 years < MTTFd s 100 years 


NOTE 1 The choice of the MTTFd ranges of each channel is based on failure rates found in the 
field as state-of-the-art, forming a kind of logarithmic scale fitting to the logarithmic 
PL scale. An MTTFd value of each channel less than three years is not expected to be 
found for real SRP/CS since this would mean that after one year about 30 % of all sys- 
tems on the market will fail and will need to be replaced. An MTTFd value of each 
channel greater than 100 years is not acceptable because SRP/CS for high risks should 
not depend on the reliability of components alone. To reinforce the SRP/CS against 
systematic and random failure, additional means such as redundancy and testing should 
be required. To be practicable, the number of ranges was restricted to three. The limi- 
tation of MTTFd of each channel values to a maximum of 100 years refers to the single 
channel of the SRP/CS which carries out the safety function. Higher MTTFd values can 
be used for single components (see table D.l). 

NOTE 2 The indicated borders of this table are assumed within an accuracy of 5 %. 



For the estimation of MTTFd of a component, the hierarchical procedure for find- 
ing data shall be, in the order given: 

a) use manufacturer's data; 

b) use methods in Annexes C and D; 

c) choose ten years. 

4.5.3 Diagnostic coverage (DC) 

The value of the DC is given in four levels (see table 6). 

For the estimation of DC, in most cases, failure mode and effects analysis (FMEA, 
see IEC 60812) or similar methods can be used. In this case, all relevant faults and/or 
failure modes should be considered and the PL of the combination of the SRP/CS which 
carry out the safety function should be checked against the required performance level 
(PL r ). For a simplified approach to estimating DC, see Annex E. 
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Table 6 Diagnostic coverage (DC) 



DC 


Denotation 


Range 


None 


DC<60% 


Low 


60%<DC<90% 


Medium 


90%<DC<99% 


High 


99%sDC 


NOTE 1 For SRP/CS consisting of several parts an average value DC av g for DC is used in fig- 
ure 5, clause 6 and E.2. 

NOTE 2 The choice of the DC ranges is based on the key values 60 %, 90 % and 99 % also es- 
tablished in other standards (e.g. IEC 61508 series) dealing with diagnostic coverage 
of tests. Investigations show that (100 -DC) % rather than DC itself is a characteris- 
tic measure for the effectiveness of the test. (100-DC) % for the key values 60 %, 90 % 
and 99 % forms a kind of logarithmic scale fitting to the logarithmic PL-scale, A DC- 
value less than 60 % has only slight effect on the reliability of the tested system and is 
therefore called "none". A DC-value greater than 99 % for complex systems is very hard 
to achieve. To be practicable, the number of ranges was restricted to four. The indi- 
cated borders of this table are assumed within an accuracy of 5 %. 



4.5.4 Simplified procedure for estimating PL 

The PL may be estimated by taking into account all relevant parameters and the 
appropriate methods for calculation (see 4.5.1). 

This clause describes a simplified procedure for estimating the PL of an SRP/CS 
based on designated architectures. Some other architectures with similar structure 
may be transformed to these designated architectures in order to obtain an estima- 
tion of the PL. 

The designated architectures are represented as block diagrams, and are listed in 
the context of each category in 6.2. Information about the block method and the safety- 
related block diagrams are given in 6.2 and Annex B. 

The designated architectures show a logical representation of the system structure 
for each category. The technical realization or, for example, the functional circuit dia- 
gram, may look completely different. 

The designated architectures are drawn for the combined SRP/CS, starting at the 
points where the safety-related signals are initiated and ending at the output of the 
power control elements (see also JIS B 9700-1, Annex A). The designated architec- 
tures can also be used to describe a part of subpart of a control system that responds 
to input signals and generates safety-related output signals. Thus the "input" element 
can represent, for example, a light curtain (AOPD) as well as input circuits of control 
logic elements or input switches. "Output" can also represent, for example, an output 
signal switching device (OSSD) or outputs of laser-scanners. 

For the designated architectures, the following typical assumptions are made: 

— mission time, 20 years (see clause 10); 

— constant failure rates within the mission time; 
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— for category 2, demand rate ^1/100 test rate; 

— for category 2, MTTF d ,TE larger than half of MTTF d| L- 

NOTE : When blocks of each channel cannot be separated, the following can be 
applied: MTTFa of the summarized test channel (TE, OTE) larger than 
half MTTFa of the summarized functional channel (I, L 7 O). 

The methodology considers the categories as architectures with defined DC av g. The 
PL of each SRP/CS depends on the architecture, the mean time to dangerous failure 
(MTTFd) in each channel and the DC avg . 

Common cause failures (CCF) should also be taken into account (for guidance, see 
Annex F). 

For SRP/CS with software, the requirements of 4.6 appl}^. 

If quantitative data is not available or not used (e.g. low complexity systems), the 
worst case of all relevant parameters should be chosen. 

A combination of SRP/CS or a single SRP/CS ma}' have a PL. The combination of 
several SRP/CS with different PL is considered in 6.3. 

In the case of applications with PL r a to c ? measures to avoid faults can be suffi- 
cient; for higher risk applications, PL r d to e, the structure of the SRP/CS can provide 
measures for avoiding, detecting or tolerating faults. Practical measures include re- 
dundancy, diversity, monitoring (see also JIS B 9700-2, clause 3 and JIS B 9960-1). 

Figure 5 shows the procedure for the selection of categories in combination with the 
MTTF d of each channel and DC avg to achieve the required PL of the safety function. 

For the estimation of the PL, figure 5 gives the different possible combinations of 
category with DC avg (horizontal axis) and the MTTFd of each, channel (bars). The bars 
in the diagram represent the three MTTFd ranges of each channel (low, medium and 
high) which can be selected to achieve the required PL. 

Before using this simplified approach with figure 5 (which represents results of dif- 
ferent Markov models based on designated architectures of clause 6), the category of 
the SRP/CS as well as DC avg and the MTTF d of each channel shall be determined (see 
clause 6 and Annexes C to E). 

For categories 2, 3 and 4 ? sufficient measures against common cause failure shall 
be carried out (for guidance, see Annex F). Taking these parameters into account, fig- 
ure 5 provides a graphical method for determining the PL, achieved by the SRP/CS. 
The combination of category (including common cause failure) and DCavg determines 
which column of figure 5 is to be chosen. According to the MTTFa of each channel, one 
of the three different shaded areas of the relevant column shall be chosen. 

The vertical position of this area determines the achieved PL which can be read 
off the vertical axis. If the area covers two or three possible PLs ? the PL achieved is 
given in table 7. For a more precise numerical selection of PL depending on the pre- 
cise value of MTTF d of each channel, see Annex K. 
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PL a 




Cat. B Cat. 1 Cat. 2 Cat 2 Cat. 3 Cat. 3 Cat. 4 

DC avg none DC avg none DC avg low DC avg medium DC avg low DC avg medium DC avg high 
Key 
PL performance level 

1 MTTF d of each channel = low 

2 MTTFd of each channel = medium 

3 MTTF f] of each channel = high 

Figure 5 Relationship between categories, DC avg , MTTFd of each 
channel and PL 

Table 7 Simplified procedure for evaluating PL achieved by SRP/CS 



Category 


B 


1 


2 


2 


3 


3 


4 


DCavg 


none 


none 


low 


medium 


low 


medium 


high 


MTTFd of each channel 




Low 


a 


Not 
covered 


a 


b 


b 


c 


Not 
covered 


Medium 


b 


Not 
covered 


b 


c 


c 


d 


Not 
covered 


High 


Not 
covered 


c 


c 


d 


d 


d 


e 



4.6 Software safety requirements 

4*6.1 General 

All lifecycle activities of safety-related embedded or application software shall pri- 
marily consider the avoidance of faults introduced during the software lifecycle (see 
figure 6). The main objective of the following requirements is to have readable, un- 
derstandable, testable and maintainable software. 
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NOTE : Annex J gives more detailed recommendations for lifecycle activities. 

Figure 6 Simplified V-model of software safety lifecycle 

4.6,2 Safety-related embedded software (SRESW) 

For SRESW for components with PL r a to d, the following basic measures shall be 
applied: 

— software safety lifecycle with verification and validation activities, see figure 6; 

— documentation of specification and design; 

— modular and structured design and coding; 

— control of systematic failures (see G.2); 

— where using software-based measures for control of random hardware failures, 
verification of correct implementation; 

— functional testing, e.g. black box testing; 

— appropriate software safety lifecycle activities after modifications. 

For SRESW for components with PL r c or d, the following additional measures shall 
be applied: 

— project management and quality management system comparable to, e.g. IEC 61508 
series or JIS Q 9001; 

— documentation of all relevant activities during software safety lifecycle; 

— configuration management to identify all configuration items and documents re- 
lated to a SRESW release; 
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— structured specification with safety requirements and design; 

— use of suitable programming languages and computer-based tools with confidence 
from use; 

— modular and structured programming, separation in non-safety-related software, 
limited module sizes with fully defined interfaces, use of design and coding stan- 
dards; 

— coding verification by walk-through/review with control flow analysis; 

— extended functional testing, e.g. grey box testing, performance testing or simula- 
tion; 

— impact analysis and appropriate software safety lifecycle activities after modifica- 
tions. 

SRESW for components with PL,-=e shall comply with IEC 61508-3, clause 7, ap- 
propriate for SIL3. When using diversity in specification, design and coding, for the 
two channels used in SRP/CS with category 3 or 4, PL r = e can be achieved with the 
above-mentioned measures for PL r of c or d. 

NOTE 1 For a detailed description of such measures, see, e.g. IEC 61508-7. 

NOTE 2 For SRESW with diversity in design and coding, for components used 
in SRP/CS with category 3 or 4, the effort involved in taking measures 
to avoid systematic failures can be reduced by, for example, reviewing 
parts of the software only by considering structural aspects instead of 
checking each line of code. 

4.6.3 Safety-related application software (SRASW) 

The software safety lifecycle (see figure 6) applies also to SRASW (see Annex J). 

SRASW 7 written in LVL and complying with the following requirements can achieve 
a PL a to e. If SRASW is written in FVL, the requirements for SRESW shall apply 
and PL a to e is achievable. If a part of the SRASW within one component has any 
impact (e.g. due to its modification) on several safety functions with different PL, then 
the requirements related to the highest PL shall apply. For SRASW for components 
with PLr from a to e, the following basic measures shall be applied: 

— development lifecycle with verification and validation activities, see figure 6; 

— documentation of specification and design; 

— modular and structured programming; 

— functional testing; 

— appropriate development activities after modifications. 

For SRASW for components with PL r from c to e, the following additional measures 
with increasing efficiency (lower effectiveness for PL r of c, medium effectiveness for 
PL r of d, higher effectiveness for PL r of e) are required or recommended. 

a) The safety-related software specification shall be reviewed (see also Annex J), made 
available to every person involved in the lifecycle and shall contain the descrip- 
tion of: 
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1) safety functions with required PL and associated operation modes, 

2) performance criteria, e.g. reaction times, 

3) hardware architecture with external signal interfaces, and 

4) detection and control of external failure. 

b) Selection of tools, libraries, languages: 

1) Suitable tools with confidence from use: for PL = e achieved with one component 
and its tool, the tool shall comply with the appropriate safety standard; if two 
diverse components with diverse tools are used, confidence from use may be suf- 
ficient. Technical features which detect conditions that could cause systematic 
error (such as data type mismatch, ambiguous dynamic memory allocation, in- 
complete called interfaces, recursion, pointer arithmetic) shall be used. Checks 
should mainly be carried out during compile time and not onty at runtime. Tools 
should enforce language subsets and coding guidelines or at least supervise or 
guide the developer using them. 

2) Whenever reasonable and practicable, validated function block (FB) libraries 
should be used — either safety-related FB libraries provided by the tool manu- 
facturer (highly recommended for PL = e) or validated application specific FB 
libraries and in conformity with this Standard, 

3) A justified LVL-subset suitable for a modular approach should be used, e.g. ac- 
cepted subset of JIS B 3503 languages. Graphical languages (e.g. function block 
diagram, ladder diagram) are highly recommended. 

c) Software design shall feature: 

1) semi-formal methods to describe data and control flow, e.g. state diagram or 
program flow chart, 

2) modular and structured programming predominantly realized by function blocks 
deriving from safety-related validated function block libraries, 

3) function blocks of limited size of coding, 

4) code execution inside function block which should have one entry and one exit 
point, 

5) architecture model of three stages, Inputs => Processing => Outputs (see figure 7 
and Annex J), 

6) assignment of a safety output at only one program location, and 

7) use of techniques for detection of external failure and for defensive programming 
within input, processing and output blocks which lead to safe state. 
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Figure 7 General architecture model of software 

d) Where SRASW and non-SRASW are combined in one component: 

1) SRASW and non-SRASW shall be coded in different function blocks with well- 
defined data links; 

2) there shall be no logical combination of non-safety-related and safety-related data 
which could lead to downgrading of the integrity of safety-related signals, for 
example, combining safety-related and non-safety-related signals by a logical 
"OR" where the result controls safety-related signals. 

e) Software implementation/coding: 

1) code shall be readable, understandable and testable and, because of this sym- 
bolic variables (instead of explicit hardware addresses) should be used; 

2) justified or accepted coding guidelines shall be used (see also Annex J); 

3) data integrity and plausibility checks (e.g. range checks) available on applica- 
tion layer (defensive programming) should be used; 

4) code should be tested by simulation; 

5) verification should be by control and data flow analysis for PL = d or e. 

f) Testing: 

1) the appropriate validation method is black-box testing of functional behaviour 
and performance criteria (e.g. timing performance); 

2) for PL = d or e, test case execution from boundary value analysis is recommended; 

3) test planning is recommended and should include test cases with completion 
criteria and required tools; 

4) I/O testing shall ensure that safety-related signals are correctly used within 

SRASW. 

g) Documentation: 

1) all lifecycle and modification activities shall be documented; 

2) documentation shall be complete, available, readable and understandable; 
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3) code documentation within source text shall contain module headers with legal 
entity, functional and I/O description, version and version of used library func- 
tion blocks, and sufficient comments of networks/statement and declaration lines. 

h) Verification 

Example ; Review, inspection, walkthrough or other appropriate activities. 

NOTE : Verification is only necessary for application-specific code, and not for 
validated library functions. 

i) Configuration management 

It is highly recommended that procedures and data backup be established to 
identify and archive documents, software modules, verification/validation results 
and tool configuration related to a specific SRASW version. 

j) Modifications 

After modifications of SRASW, impact analysis shall be performed to ensure 
specification. Appropriate lifecycle activities shall be performed after modifica- 
tions. Access rights to modifications shall be controlled and modification history 
shall be documented. 

NOTE : Modification does not affect systems already in use. 

4.6.4 Software-based parameterization 

Software-based parameterization of safety-related parameters shall be considered 
as a safety-related aspect of SRP/CS design to be described in the software safety re- 
quirements specification. Parameterization shall be carried out using a dedicated soft- 
ware tool provided by the supplier of the SRP/CS. This tool shall have its own 
identification (name, version, etc.) and shall prevent unauthorized modification, for 
example, by use of a password. 

The integrity of all data used for parameterization shall be maintained. This shall 
be achieved by applying measures to 

— control the range of valid inputs, 

— control data corruption before transmission, 

— control the effects of errors from the parameter transmission process, 

— control the effects of incomplete parameter transmission, and 

— control the effects of faults and failures of hardware and software of the tool used 
for parameterization. 

The parameterization tool shall fulfil all requirements for SRP/CS according to this 
Standard. Alternatively, a special procedure shall be used for setting the safety-re- 
lated parameters. This procedure shall include confirmation of input parameters to 
the SRP/CS by either 

— retransmission of the modified parameters to the parameterization tool, or 

— other suitable means of confirming the integrity of the parameters, 

as well as subsequent confirmation, e.g. by a suitably skilled person and by means of 
an automatic check by a parameterization tool. 
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NOTE 1 This is of particular importance where parameterization is carried out 
using a device not specifically intended for the purpose (e.g. personal 
computer or equivalent). 

The software modules used for encoding/decoding within the transmission/retrans- 
mission process and software modules used for visualization of the safety-related pa- 
rameters to the user shall, as a minimum, use diversity in function(s) to avoid systematic 
failures. 

Documentation of software-based parameterization shall indicate data used (e.g. pre- 
defined parameter sets) and information necessary to identify the parameters associ- 
ated with the SRP/CS, the person(s) carrying out the parameterization together with 
other relevant information such as date of parameterization. 

The following verification activities shall be applied for software-based parameter- 
ization: 

— verification of the correct setting for each safety-related parameter (minimum, 
maximum and representative values); 

— verification that the safety-related parameters are checked for plausibility, for 
example by use of invalid values, etc.; 

— verification that unauthorized modification of safety-related parameters is pre- 
vented; 

— verification that the data/signals for parameterization are generated and processed 
in such a way that faults can not lead to a loss of the safety function. 

NOTE 2 This is of particular importance where the parameterization is carried 
out using a device not specifically intended for this purpose (e,g. per- 
sonal computer or equivalent). 

4*7 Verification that achieved PL meets PL r 

For each individual safety function the PL of the related SRP/CS shall match the 
required performance level (PL r ) determined according to 4.3 (see figure 3). If this is 
not the case, an iteration in the process described in figure 3 is necessary. 

The PL of the different SRP/CS which are part of a safety function shall be greater 
than or equal to the required performance level (PL r ) of this safety function. 

4.8 Ergonomic aspects of design 

The interface between operators and the SRP/CS shall be designed and realized such 
that no person is endangered during all intended use and reasonable foreseeable mis- 
use of the machine (see also JIS B 9700-2, EN 614-1, ISO 9355-1, ISO 9355-2, ISO 
9355-3, EN 1005-3, JIS B 9960-1, clause 10, IEC 60447 and JIS B 9706 series). 

Ergonomic principles shall be used so that the machine and the control system, in- 
cluding the safety-related parts 7 are easy to use, and so that the operator is not tempted 
to act in a hazardous manner. 

The safety requirements for observing ergonomic principles given in JIS B 9700-2, 
4.8, apply. 



PROTECTED BY COPYRIGHT 



31 
B 9705-1 ; 2011 (ISO 13849-1 : 2006) 



5 Safety functions 

5.1 Specification of safety functions 

This clause provides a list and details of safety functions which can be provided by 
the SRP/CS. The designer (or type-C standard maker) shall include those necessary 
to achieve the measures of safety required of the control system for the specific appli- 
cation. 

Example : Safety-related stop function, prevention of unexpected start-up, manual 
reset function, muting function, hold-to-run function. 

NOTE : Machinery control systems provide operational and/or safety functions. 
Operational functions (e.g. starting, normal stopping) can also be safety 
functions, but this can be ascertained only after a complete risk assess- 
ment on the machinery has been carried out. 

Tables 8 and 9 list some typical safety functions and, respectively, certain of their 
characteristics and safety-related parameters, while making reference to other JISs 
and International Standards whose requirements relate to the safety function, char- 
acteristic or parameter. The designer (or type-C standard maker) shall ensure that 
all applicable requirements are satisfied for the relevant safety functions listed in the 
tables. 

Additional requirements are set out in this clause for certain of the safety function 
characteristics. 

Where necessary, the requirements for characteristics and safety functions shall 
be adapted for use with different energy sources. 

As most of the references in tables 8 and 9 relate to electrical standards, the ap- 
plicable requirements will need to be adapted in the case of other technologies (e.g. 
hydraulic, pneumatic). 
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Table 8 Some JISs applicable to typical machine safety functions and 
certain of their characteristics 



Safety function/characteri stic 


Requirements ) 


For additional 

information, 

see: 


This 
Standard 


JIS B 9700-1 


JIS B 9700-2 


Safety-related stop function 
initiated by safeguard a) 


5.2.1 


3.26.8 


4.11*3 


JIS B 9960-1, 9.2.2, 
9.2.5.3, 9.2.5.5 


Manual reset function 


5.2.2 


— 


- 


JIS B 9960-1, 9.2.5.3, 
9.2.5.4 


Start/restart function 


5,2.3 


— 


4.11.3, 4.11.4 


JIS B 9960-1, 9.2.1, 
9.2.5.1, 9.2.5.2, 9.2.6 


Local control function 


5.2.4 


- 


4.11.8,4.11.10 


JIS B 9960-1, 10.1.5 


Muting function 


5.2.5 


— 


— 


__ 


Hold-to-run function 


___ 


- 


4.11.8 b) 


JIS B 9960-1, 9.2.6.1 


Enabling device function 


— 


— 




JIS B 9960-1, 9.2.6.3, 
10.9 


Prevention of unexpected 
start-up 


- 


— 


4.11.4 


JIS B 9714 

JIS B 9960-1, 5.4 


Escape and rescue of trapped 
persons 


— 


— 


5.5.3 


— 


Isolation and energy dissipation 
function 


_ 


~— 


5.5.4 


JIS B 9714 

JIS B 9960-1, 5.3, 

6.3.1 


Control modes and mode 
selection 


- 


- 


4.11.8, 4.11,10 


JIS B 9960-1, 9.2.3, 
9.2.4 


Interaction between different 
safety-related parts of control 
systems 






4.11.1 

(last sentence) 


JIS B 9960-1, 9.3.4 


Monitoring of parameterization 
of safety-related input values 


4.6.4 


— 


- 


- 


Emergency stop function b} 


— 


— 


5.5.2 


JIS B 9703 

JIS B 9960-1, 9.2.5.4 


Notes a) Including interlocked guards and limiting devices (e.g. overspeed, overtemperature, 
overpressure). 

b) Complementary protective measure, see JIS B 9700-1. 
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Table 9 Some Internationa! Standards and JISs giving requirements 

for certain safety functions and safety-related parameters 



Safety function/ 
safety-related parameter 


Requirement 


For additional information, 

see: 


This Standard 


JIS B 9700-2 


Response time 


5.2.6 


- 


JIS B 9715, 3.2, A.3, A.4 


Safety-related parameter such as 
speed, temperature or pressure 


5.2.7 


4.11.8 e) 


JIS B 9960-1, 7.1, 9.3.2, 9.3.4 


Fluctuations, loss and restoration 
of power sources 


5.2.8 


4.11.8 e) 


JIS B 9960-1, 4.3, 7,1, 7.5 


Indications and alarms 




4.8 


ISO 7731 

ISO 11428 

ISO 11429 

JIS B 9706-1 

JIS B 9960-1, 10.3, 10.4 

1 .??..? 1 - t l 1 .. s . e T i . es . 
JIS B 9961 



When identifying and specifying the safety function(s), the following shall at least 
be considered: 

a) results of the risk assessment for each specific hazard or hazardous situation; 

b) machine operating characteristics, including 

— intended use of the machine (including reasonable foreseeable misuse), 

— modes of operation (e.g. local mode, automatic mode, modes related to a zone or 
part of the machine), 

— cycle time, and 

— response time; 

c) emergency operation; 

d) description of the interaction of different working processes and manual activities 
(repairing, setting, cleaning, trouble shooting, etc.); 

e) the behaviour of the machine that a safety function is intended to achieve or to 
prevent; 

f) condition(s) (e.g. operating mode) of the machine in which it is to be active or 
disabled; 

g) the frequency of operation; 

h) priority of those functions that can be simultaneously active and that can cause 
conflicting action. 

5.2 Details of safety functions 

5.2.1 Safety-related stop function 

The following applies in addition to the requirements of table 8. 
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A safety-related stop function (e.g. initiated by a safeguard) shall, as soon as nec- 
essary after actuation, put the machine in a safe state. Such a stop shall have prior- 
ity over a stop for operational reasons. 

When a group of machines are working together in a coordinated manner, provi- 
sion shall be made for signalling the supervisory control and/or the other machines that 
such a stop condition exists. 

NOTE : A safety-related stop function can cause operational problems and a dif- 
ficult restart, e.g. in an arc welding application. To reduce the tempta- 
tion to defeat this stop function, it can be preceded with a stop for 
operational reasons to finalize the actual operation and prepare for an 
easy and quick restart from the stop position (e.g. without any damage 
of the production). One solution is the use of interlocking device with 
guard locking where the guard locking is released when the cycle has 
reached a defined position where the easy restart is possible. 

5,2.2 Manual reset function 

The following applies in addition to the requirements of table 8. 

After a stop command has been initiated by a safeguard, the stop condition shall 
be maintained until safe conditions for restarting exist. 

The re-establishment of the safety function by resetting of the safeguard cancels 
the stop command. If indicated by the risk assessment, this cancellation of the stop 
command shall be confirmed by a manual, separate and deliberate action (manual reset). 

The manual reset function shall 

— be provided through a separate and manually operated device within the SRP/CS, 

— only be achieved if all safety functions and safeguards are operative, 

— not initiate motion or a hazardous situation by itself, 

— be by deliberate action, 

— enable the control system for accepting a separate start command, 

— only be accepted by disengaging the actuator from its energized (on) position. 

The performance level of safety-related parts providing the manual reset function 
shall be selected so that the inclusion of the manual reset function does not diminish 
the safety required of the relevant safety function. 

The reset actuator shall be situated outside the danger zone and in a safe position 
from which there is good visibility for checking that no person is within the danger 
zone. 

Where the visibility of the danger zone is not complete, a special reset procedure 
is required. 

NOTE : One solution is the use of a second reset actuator. The reset function is 
initiated within the danger zone by the first actuator in combination with 
a second reset actuator located outside the danger zone (near the safe- 
guard). This reset procedure needs to be realized within a limited time 
before the control system accepts a separate start command. 
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5.2.3 Start/restart function 

The following applies in addition to the requirements of table 8. 

A restart shall take place automatically only if a hazardous situation cannot exist. 
In particular, for interlocking guards with a start function, JIS B 9700-2, 5.3.2.5, ap- 
plies. 

These requirements for start and restart shall also apply to machines which can 
be controlled remotely. 

NOTE : A sensor feedback signal to the control system can initiate an automatic 
restart. 

Example : In automatic machine operations, sensor feedback signals to the con- 
trol system are often used to control the process flow. If a work piece 
has come out of position, the process flow is stopped. If the monitor- 
ing of the interlocked safeguard is not superior to the automatic pro- 
cess control, there could be a danger of restarting the machine while 
the operator readjusts the work piece. Therefore the remotely con- 
trolled restart ought not to be allowed until the safeguard is closed 
again and the maintainer has left the hazardous area. The contribu- 
tion of prevention of unexpected start-up provided by the control sys- 
tem is dependent on the result of the risk assessment. 

5.2.4 Local control function 

The following applies in addition to the requirements of table 8. 

When a machine is controlled locally, e.g. by a portable control device or pendant, 
the following requirements shall apply: 

— the means for selecting local control shall be situated outside the danger zone; 

— - it shall only be possible to initiate hazardous conditions by a local control in a zone 
defined by the risk assessment; 

— switching between local and main control shall not create a hazardous situation. 

5.2.5 Muting function 

The following applies in addition to the requirements of table 8. 

Muting shall not result in any person being exposed to hazardous situations. During 
muting, safe conditions shall be provided by other means. 

At the end of muting, all safety functions of the SRP/CS shall be reinstated. 

The performance level of safety-related parts providing the muting function shall 
be selected so that the inclusion of the muting function does not diminish the safety 
required of the relevant safety function. 

NOTE : In some applications, an indication signal of muting is necessary. 

5.2.6 Response time 

The following applies in addition to the requirements of table 9. 

The response time of the SRP/CS shall be determined when the risk assessment of 
the SRP/CS indicates that this is necessary (see also clause 11). 
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NOTE : The response time of the control system is part of the overall response 
time of the machine. The required overall response time of the machine 
can influence the design of the safety-related part, e.g. the need to pro- 
vide a braking system. 

5.2.7 Safety-related parameters 

The following applies in addition to the requirements of table 9. 

When safety-related parameters, e.g. position, speed, temperature or pressure, de- 
viate from present limits the control system, shall initiate appropriate measures (e.g. 
actuation of stopping, warning signal, alarm). 

If errors in manual inputting of safety-related data in programmable electronic sys- 
tems can lead to a hazardous situation, then a data checking system within the safety- 
related control system shall be provided, e.g. check of limits, format and/or logic input 

values. 

5.2.8 Fluctuations, loss and restoration of power sources 

The following applies in addition to the requirements of table 9. 

When fluctuations in energy levels outside the design operating range occur, includ- 
ing loss of energy supply, the SRP/CS shall continue to provide or initiate output 
signal(s) which will enable other parts of the machine system to maintain a safe state. 

6 Categories and their relation to MTTF d of each channel, DC avg and CCF 

6.1 General 

The SRP/CS shall be in accordance with the requirements of one or more of the five 
categories specified in 6.2. 

Categories are the basic parameters used to achieve a specific PL. They state the 
required behaviour of the SRP/CS in respect of its resistance to faults based on the 
design considerations described in clause 4. 

Category B is the basic category. The occurrence of a fault can lead to the loss of 
the safety function. In category 1 improved resistance to faults is achieved predomi- 
nantly by selection and application of components. In categories 2, 3 and 4, improved 
performance in respect of a specified safety function is achieved predominantly by im- 
proving the structure of the SRP/CS. In category 2 this is provided by periodically check- 
ing that the specified safety function is being performed. In categories 3 and 4 this is 
provided by ensuring that the single fault will not lead to the loss of the safety func- 
tion. In category 4, and whenever reasonably practicable in category 3, such faults will 
be detected. In category 4 the resistance to the accumulation of faults will be speci- 
fied. 

Table 10 gives an overview 7 of categories of the SRP/CS, the requirements and the 
system behaviour in case of faults. 

When considering the causes of failures in some components it is possible to ex- 
clude certain faults (see clause 7). 

The selection of a category for a particular SRP/CS depends mainly upon 
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— the reduction in risk to be achieved by the safety function to which the part con- 
tributes, 

— the required performance level (PL r ), 

— the technologies used, 

— the risk arising in the case of a fault(s) in that part, 

— the possibilities of avoiding a fault(s) in that part (systematic faults), 

— the probability of occurrence of a fault(s) in that part and relevant parameters, 

— the mean time to dangerous failure (MTTF d ), 

— the diagnostic coverage (DC), and 

— the common cause failure (CCF) in the case of categories 2, 3 and 4. 

6.2 Specifications of categories 

6.2.1 General 

Each SRP/CS shall comply with the requirements of the relevant category, see 6.2.3 
to 6.2.7. 

The following architectures typically meet the requirements of the respective cat- 
egory. 

The following figures 8 to 12 show not examples but general architectures. A de- 
viation from these architectures is always possible, but any deviation shall be justi- 
fied, by means of appropriate analytical tools (e.g. Markov modelling, fault tree 
analysis), such that the system meets the required performance level (PL r ). 

The designated architectures cannot be considered only as circuit diagrams but also 
as logical diagrams. For categories 3 and 4, this means that not all parts are neces- 
sarily physically redundant but that there are redundant means of assuring that a fault 
cannot lead to the loss of the safety function. 

The lines and arrows in figures 8 to 12 represent logical interconnecting means and 
logical possible diagnostic means, 

6.2.2 Designated architectures 

The structure of an SRP/CS is a key characteristic having great influence on the 
PL. Even if the variety of possible structures is high, the basic concepts are often 
similar. Thus, most structures which are present in the machinery field can be mapped 
to one of the categories. For each category, a typical representation as a safety-related 
block diagram can be made. These typical realizations are called designated archi- 
tectures and are listed in the context of each of the following categories (see figures 8 
to 12). 

It is important that the PL shown in figure 5, depending on the category, MTTFd 
of each channel and DC avg , is based on the designated architectures. If figure 5 is used 
to estimate the PL the architecture of the SRP/CS should be demonstrated to be equiva- 
lent to the designated architecture of the claimed category. Designs fulfilling the 
characteristics of the respective category in general are equivalent to the respective 
designated architecture of the category. 
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NOTE : In some cases arising from a specific technical solution or determined by 
a type-C standard, the safety-related performance of the SRP/CS can be 
required only by a category without additional PL r . For such specific 
cases, safety is provided particularly by the architecture, and the require- 
ments for MTTF, DC and CCF do not apply. 

6.2.3 Category B 

The SRP/CS shall, as a minimum, be designed, constructed, selected, assembled and 
combined in accordance with the relevant standards and using basic safety principles 
for the specific application to withstand 

— the expected operating stresses, e.g. the reliability with respect to breaking capacity 
and frequency, 

— the influence of the processed material, e.g. detergents in a washing machine, and 

■ — other relevant external influences, e.g. mechanical vibration, electromagnetic in- 
terference, power supply interruptions or disturbances. 

There is no diagnostic coverage (DC avg =none) within category B systems and the 
MTTFj of each channel can be low to medium. In such structures (normally single- 
channel systems), the consideration of CCF is not relevant. 

The maximum PL achievable with category B is PL = b. 

NOTE : When a fault occurs it can lead to the loss of the safety function. 

Specific requirements for electromagnetic compatibility are found in the relevant 
product standards, e.g. JIS C 4421 for power drive systems. For functional safety of 
SRP/CS in particular, the immunity requirements are relevant. If no product stan- 
dard exists, at least the immunity requirements of JIS C 61000-6-2 should be followed. 
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Figure 8 Designated architecture for category B 

6.2.4 Category 1 

For categor}^ 1, the same requirements as those according to 6.2.3 for category B 
shall, apply. In addition, the following applies. 

SRP/CS of category 1 shall be designed and constructed using well-tried components 
and well-tried safety principles (see ISO 13849-2). 

A 'Veil-tried component" for a safety-related application is a component which has 
been either 
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a) widely used in the past with successful results in similar applications, or 

b) made and verified using principles which demonstrate its suitability and reliabil- 
ity for safety-related applications. 

Newly developed components and safety principles may be considered as equiva- 
lent to "well-tried" if they fulfil the conditions of b). 

The decision to accept a particular component as being "well-tried" depends on the 
application. 

NOTE 1 Complex electronic components (e.g. PLC, microprocessor, application- 
specific integrated circuit) cannot be considered as equivalent to "well- 
tried". 

The MTTFd of each channel shall be high. 

The maximum PL achievable with category 1 is PL = c. 

NOTE 2 There is no diagnostic coverage (DC avg = none) within category 1 systems. 
In such structures (single-channel systems) the consideration of CCF is 
not relevant. 

NOTE 3 When a fault occurs it can lead to the loss of the safety function. How- 
ever, the MTTFd of each channel in category 1 is higher than in category 
B. Consequently, the loss of the safety function is less likely. 

It is important that a clear distinction between "well-tried component" and "fault 
exclusion" (see clause 7) be made. The qualification of a component as being well-tried 
depends on its application. For example, a position switch with positive opening con- 
tacts could be considered as being well-tried for a machine tool, while at the same time 
as being inappropriate for application in a food industry — in the milk industry, for 
instance, this switch would be destroyed by the milk acid after a few months. A fault 
exclusion can lead to a. very high PL, but the appropriate measures to allow this fault 
exclusion should be applied during the whole lifetime of the device. In order to en- 
sure this, additional measures outside the control system may be necessary. In the 
case of a position switch, some examples of these kinds of measures are 

— means to secure the fixing of the switch after its adjustment, 

— means to secure the fixing of the cam, 

— means to ensure the transverse stability of the cam, 

— means to avoid overtravel of the position switch, e.g. adequate mounting strength 
of the shock absorber and any alignment devices, and 

— means to protect it against damage from outside. 
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Figure 9 Designated architecture for category 1 

6*2.5 Category 2 

For category 2, the same requirements as those according to 6,2.3 for category B 
shall apply. "Well-tried safety principles" according to 6.2.4 shall also be followed. In 
addition, the following applies. 

SRP/CS of category 2 shall be designed so that their function(s) are checked at suit- 
able intervals by the machine control system. The check of the safety function(s) shall 
be performed 

— at the machine start-up, and 

— prior to the initiation of any hazardous situation, e.g. start of a new cycle, start of 
other movements, and/or periodically during operation if the risk assessment and 
the kind of operation shows that it is necessary. 

The initiation of this check may be automatic. Any check of the safety function(s) 
shall either 

— allow operation if no faults have been detected, or 

— generate an output which initiates appropriate control action, if a fault is detected. 

Whenever possible this output shall initiate a safe state. This safe state shall be 
maintained until the fault is cleared. When it is not possible to initiate a safe state 
(e.g. welding of the contact in the final switching device) the output shall provide a 
warning of the hazard. 

For the designated architecture of category 2, as shown in figure 10, the calcula- 
tion of MTTF f i and DC avg should take into account only the blocks of the functional chan- 
nel (i.e. I, L and O in figure 10) and not the blocks of the testing channel (i.e. TE and 
OTE in figure 10). 

The diagnostic coverage (DC avg ) of the total SRP/CS including fault-detection shall 
be low to medium. The MTTFd of each channel shall be low-to-high, depending on the 
required performance level (PL r ). Measures against CCF shall be applied (see Annex F), 

The check itself shall not lead to a hazardous situation (e.g. due to an increase in 
response time). The checking equipment may be integral with, or separate from, the 
safety-related part(s) providing the safety function. 

The maximum PL achievable with category 2 is PL = d. 

NOTE 1 In some cases category 2 is not applicable because the checking of the 
safety function cannot be applied to all components. 
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NOTE 2 Category 2 system behaviour allows that 

— the occurrence of a fault can lead to the loss of the safety function 
between checks, 

— the loss of safety function is detected by the check, 

NOTE 3 The principle that supports the validity of a category 2 function is that 
the adopted technical provisions, and, for example, the choice of check- 
ing frequency can decrease the probability of occurrence of a dangerous 
situation. 
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Dashed lines represent reasonably practicable fault detection. 

Key 

i m interconnecting means 

I input device, e.g. sensor 

L logic 

in monitoring 

output device, e.g. main contactor 

TE test equipment 

OTE output of TE 

Figure 10 Designated architecture for category 2 

6.2.6 Category 3 

For category 3, the same requirements as those according to 6.2.3 for category B 
shall apply. "Well-tried safety principles" according to 6.2.4 shall also be followed. In 
addition, the following applies. 

SRP/CS of category 3 shall be designed so that a single fault in any of these parts 
does not lead to the loss of the safety function. Whenever reasonably practicable, the 
single fault shall be detected at or before the next demand upon the safety function. 

The diagnostic coverage (DC avg ) of the total SRP/CS including fault-detection shall, 
be low to medium. The MTTF d of each of the redundant channels shall be low-to-high, 
depending on the PL r . Measures against CCF shall be applied (see Annex F). 

NOTE 1 The requirement of single-fault detection does not mean that all faults 
will be detected. Consequently, the accumulation of undetected faults 
can lead to an unintended output and a hazardous situation at the 
machine. Typical examples of practicable measures for fault detection 
are use of the feedback of mechanically guided relay contacts and moni- 
toring of redundant electrical outputs. 
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NOTE 2 If necessary because of technology and application, type-C standard mak- 
ers need to give further details on the detection of faults. 

NOTE 3 Category 3 system behaviour allows that 

— when the single fault occurs the safety function is always performed, 

— some but not all faults will be detected, 

— accumulation of undetected faults can lead to the loss of the safety 
function. 

NOTE 4 The technology used will influence the possibilities for the implemen- 
tation of fault detection. 
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Figure 11 Designated architecture for category 3 

6.2.7 Category 4 

For category 4, the same requirements as those according to 6.2.3 for category B 
shall apply. "Well-tried safety principles" according to 6.2.4 shall also he followed. In 
addition, the following applies. 

SRP/CS of category 4 shall be designed such that 

— a single fault in any of these safety-related parts does not lead to a loss of the safety 
function, and 

— the single fault is detected at or before the next demand upon the safety functions, 
e.g. immediately, at switch on, or at end of a machine operating cycle, 

but if this detection is not possible, then an accumulation of undetected faults shall 
not lead to the loss of the safety function. 

The diagnostic coverage (DC avg ) of the total SRP/CS shall be high, including the ac- 
cumulation of faults. The MTTFd of each of the redundant channels shall be high. 
Measures against CCF shall be applied (see Annex F). 
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NOTE 1 Category 4 system behaviour allows that 

when a single fault occurs the safety function is always performed, 

the faults will be detected in time to prevent the loss of the safety function. 

accumulation of undetected faults is taken into account. 

NOTE 2 The difference between category 3 and category 4 is a higher DC avK in 
category 4 and a required MTTF d of each channel of "high" only. 

In practice, the consideration of a fault combination of two faults may be sufficient. 
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Solid lines for monitoring represent diagnostic coverage that is higher than in 
the designated architecture for category 3. 
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PROTECTED BY COPYRIGHT 



44 

B 9705-1 : 2011 (ISO 13849-1 : 2006) 



Table 10 Summary of requirements for categories 



Category 


Summary of requirements 


System behaviour 


Principle 
used to 
achieve 
safety 


MTTFd 
of each 
channel 


DCavg 


CCF 


B 


SRP/CS anoVor their 


The occurrence of 


Mainly 


Low to 


None 


Not 


(see 


protective equipment, as 


a fault can lead to 


character- 


medium 




rel e van t 


6.2.3) 


well as their components, 
shall be designed, 
constructed, selected, 
assembled and combined 
in accordance with 
relevant standards so that 
they can withstand the 
expected influence. Basic 
safety principles shall be 
used. 


the loss of the 
safety function. 


ized by 
selection of 
components 








1 


Requirements of B shall 


The occurrence of 


Mainly 


High 


None 


Not 


(see 


apply. Well-tried compo- 


a fault can lead to 


character- 






relevant 


6.2.4) 


nents and well-tried 
safety principles shall, be 
used. 


the loss of the 
safety function 
but the probability 
of occurrence is 
lower than for 
category B. 


ized by 
selection of 
components 








2 


Requirements of B and 


The occurrence of 


Mainly 


Low t to 


Low to 


See 


(see 


the use of well-tried safety 


a fault can lead to 


character- 


high 


medium 


Annex F 


6.2.5) 


principles shall apply. 
Safety function shall be 
checked at suitable 
intervals by the machine 
control system. 


the loss of the 
safety function 
between the 
checks. 

The loss of safety 
function is 
detected by the 
check. 


ized by 
structure 








3 


Requirements of B and 


When a single 


Mainly 


Low to 


Low to 


See 


(see 


the use of well-tried safety 


fault occurs, the 


character- 


high 


medium 


Annex F 


6.2.6) 


principles shall apply. 
Safety-related parts shall 
be designed, so that 

— a single fault in any of 
these parts does not 
lead to the loss of the 
safety function, and 

— whenever reasonably 
practicable, the single 
fault is detected. 


safety function is 
always performed. 
Some, but not all, 
faults will be 
detected. 
Accumulation of 
undetected faults 
can lead to the 
loss of the safety 
function. 


ized by 
structure 
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Table 10 (concluded) 



Category 


Summary of requirements 


System behaviour 


Principle 
used to 
achieve 
safety 


MTTFd 
of each 
channel 


DCavg 


CCF 


4 


Requirements of B and 


When a single 


Mainly 


High 


High 


See 


(see 


the use of well-tried safety 


fault occurs the 


character- 




including 


Annex F 


6.2.7) 


principles shall apply. 


safety function is 


ized by 




accumula- 






Safety-related parts shall 


always performed. 


structure 




tion of 






be designed, so that 


Detection of 






faults 






— a single fault in any of 


accumulated 












these parts does not 


faults reduces the 












lead to a loss of the 


probability of the 












safety function, and 


loss of the safety 












— the single fault is 


function (high DC), 












detected at or before 


The faults will be 












the next demand upon 


detected in time to 












the safety function, but 


prevent the loss of 












that if this detection is 


the safety function. 












not possible, an 














accumulation of 














undetected faults shall 














not lead to the loss of 














the safety function. 












NOTE : 


For full requirements, see 


j clause 6. 











6.3 Combination of SRP/CS to achieve overall PL 

A safety function can be realized by a combination of several SRP/CS: input sys- 
tem, signal processing unit, output system. These SRP/CS may be assigned to one 
and/or different categories. For each SRP/CS used, a category according to 6.2 shall 
be selected. For the overall combination of these SRP/CS, an overall PL may be iden- 
tified using table 11. In this case, the validation of the combination of SRP/CS is re- 
quired (see figure 3). 

According to 6.2, the combined safety-related parts of a control system start at the 
points where the safety-related signals are initiated and end at the output of the power 
control elements. But the combined SRP/CS could consist of several parts connected 
in a linear (series alignment) or redundant (parallel alignment) way. To avoid a new 
complex estimation of the performance level (PL) achieved by the combined SRP/CS 
where the separate PLs of all parts are already calculated, the following estimations 
are presented for a series alignment of SRP/CS. 

Assumed are N separate SRP/CSj in a series alignment, as a whole performing a 
safety function. For each SRP/CSj, a PL! has already been evaluated. This situation 
is illustrated in figure 13 (see also figure 4 and figure H.2). 
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SRP/C^ 




SRP/CS 2 
PL 2 




SRP/CS N 
PL N 








SRP/CS 
PL 







Figure 13 Combination of SRP/CS to achieve overall PL 

The following method allows the calculation of the PL of the whole combined SRP/ 
CS performing the safety function: 

a) Identify the lowest PLi: this is PLi 0W . 

b) Identify the number iV ]ow ^N of SRP/CS i? with PLj = PLi 0W . 

c) Look-up PL in table 11. 

Table 11 Calculation of PL for series alignment of SRP/CS 



PLlow 


Mow 


-> 


PL 


a 


>3 


-> 


None, not allowed 


<3 


=> 


a 


b 


>2 


- 


a 


<;2 


=> 


b 


c 


>2 


=> 


b 


<2 


=> 


c 


d 


>3 


=> 


c 


<3 


=» 


d 


e 


>3 


=» 


d 


<3 


=> 


e 


NOTE : 


The values calculated far this look-up table are based 
on reliability values at the mid-point for each PL. 



7 Fault consideration, fault exclusion 

7.1 General 

In accordance with the category selected, safety-related parts shall be designed to 
achieve the required performance level (PL r ). The ability to resist faults shall be as- 
sessed. 

7.2 Fault consideration 

ISO 13849-2 lists the important faults and failures for the various technologies. 
The lists of faults are not exclusive and, if necessary, additional faults shall be con- 
sidered and listed. In such cases, the method of evaluation should also be clearly elabo- 
rated. For new components not mentioned in ISO 13849-2, a failure mode and effects 
analysis (FMEA ? see IEC 60812) shall be carried out to establish the faults that are 
to be considered for those components. 
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In general, the following fault criteria shall be taken into account: 

— if, as a consequence of a fault, further components fail, the first fault together with 
all following faults shall be considered as a single fault; 

— two or more separate faults having a common cause shall be considered as a single 
fault (known as a CCF); 

— the simultaneous occurrence of two or more faults having separate causes is con- 
sidered highly unlikely and therefore need not be considered. 

7.3 Fault exclusion 

It is not always possible to evaluate SRP/CS without assuming that certain faults 
can be excluded. For detailed information on fault exclusions, see ISO 13849-2. 

Fault exclusion is a compromise between technical safety requirements and the theo- 
retical possibility of occurrence of a fault. 

Fault exclusion can be based on 

— the technical improbability of occurrence of some faults, 

— generally accepted technical experience, independent of the considered application, 
and 

— technical requirements related to the application and the specific hazard. 

If faults are excluded, a detailed justification shall be given in the technical docu- 
mentation. 

8 Validation 

The design of the SRP/CS shall be validated (see figure 3). The validation shall 
demonstrate that the combination of SRP/CS providing each safety function meets all 
relevant requirements of this Standard. 

For details of validation, see ISO 13849-2. 

9 Maintenance 

Preventive or corrective maintenance can be necessary to maintain the specified per- 
formance of the safety-related parts. Deviations with time from the specified perfor- 
mance can lead to a deterioration in safety or even to a hazardous situation. The 
information for use of the SRP/CS shall include instructions for the maintenance 
(including periodic inspection) of the SRP/CS. 

The provisions for the maintainability of the safety-related part(s) of a control sys- 
tem shall follow the principles given in JIS B 9700-2, 4.7. All information for main- 
tenance shall comply with JIS B 9700-2, 6.5.1 e). 

10 Technical documentation 

When designing an SRP/CS, its designer shall document at least the following in- 
formation relevant to the safety-related part; 

— safety function(s) provided by the SRP/CS; 

— the characteristics of each safety function; 
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— the exact points at which the safety-related part(s) start and end; 

— environmental conditions; 

— the performance level (PL); 

— the category or categories selected; 

— the parameters relevant to the reliability (MTTF d , DC, CCF and mission time); 

— measures against systematic failure; 

— the technology or technologies used; 

— all safety-relevant faults considered; 

— justification for fault exclusions (see ISO 13849-2); 

— the design rationale (e.g. faults considered, faults excluded); 

— software documentation; 

— measures against reasonably foreseeable misuse. 

NOTE : In general, this documentation is foreseen as being for the manufacturer's 
internal purposes and will not be distributed to the machine user. 

11 Information for use 

The principles of JIS B 9700-2. 6,5,2, and the applicable sections of other relevant 
documents (e.g. JIS B 9960-1, clause 17), shall be applied. In particular, that infor- 
mation which is important for the safe use of the SRP/CS shall be given to the user. 
This shall include, but is not limited to the following: 

— the limits of the safety-related parts to the category(ies) selected and any fault 
exclusions; 

— the limits of the SRP/CS and any fault exclusions (see 7.3), for which, when es- 
sential for maintaining the selected category or categories and safety performance, 
appropriate information (e.g. for modification, maintenance and repair) shall be 
given to ensure the continued justification of the fault exclusion(s); 

— the effects of deviations from the specified performance on the safety function(s); 

— clear descriptions of the interfaces to the SRP/CS and protective devices; 

— response time; 

— operating limits (including environmental conditions); 

— indications and alarms; 

— muting and suspension of safety functions; 

— control modes; 

— maintenance (see clause 9); 

— maintenance check lists; 

— ease of accessibility and replacing of internal parts; 

— means for easy and safe trouble shooting; 
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— information explaining the applications for use relevant to the category to which 
reference is made; 

— checking test intervals where relevant. 

Specific information shall be provided on the category or categories and performance 
level of the SRP/CS, as follows: 

— dated reference to this Standard (i.e. "JIS B 9705-1:2011"); 

— the Category, B, 1, 2, 3, or 4; 

— the performance level, a, b, c, d, or e. 

Example : An SRP/CS in accordance with this Standard, of Category B and per- 
formance level a ? would be referred to as follows: 

JIS B 9705-1:2011 Category B PL a 
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Annex A (informative) 
Determination of required performance level (PL r ) 



A.1 Selection of PL r 

This Annex is concerned with the contribution to the reduction in risk made by the 
safety-related parts of the control system being considered. The method given here 
provides only an estimation of risk reduction and is intended as guidance to the de- 
signer and standard maker in determining the PL r for each necessary safety function 
to be carried out by an SRP/CS. 

The risk assessment assumes a situation prior to provision of the intended safety 
function. Risk reduction by other technical measures independent of the control sys- 
tem (e.g. mechanical guards), or additional safety functions, can be taken into account 
in determining the PL r of the intended safety function; in which case, the starting point 
of figure A. 1 can be selected after the implementation of these measures (see also fig- 
ure 2). The severity of injury (denoted by S) is relatively easy to estimate (e.g. lac- 
eration, amputation, fatality). For the frequency of occurrence, auxiliary parameters 
are used to improve the estimation. These parameters are 

— frequency and time of exposure to the hazard (F), and 

— possibility of avoiding the hazard or limiting the harm (P). 

Experience has shown that these parameters can be combined, as in figure A.l, to 
give a gradation of risk from low to high. It is emphasized that this is a qualitative 
process giving only an estimation of risk. 

A.2 Guidance for selecting parameters S, F and P for the risk estimation 

A.2.1 Severity of injury SI and S2 

In estimating the risk arising from a failure of a safety function only slight inju- 
ries (normally reversible) and serious injuries (normally irreversible) and death are 
considered. 

To make a decision the usual consequences of accidents and normal healing pro- 
cesses should be taken into account in determining SI and S2. For example, bruising 
and/or lacerations without complications would be classified as SI, whereas amputa- 
tion or death would be S2. 

A.2.2 Frequency and/or exposure times to hazard, Fl and F2 

A generally valid time period to be selected for parameter Fl or F2 cannot be speci- 
fied. However, the following explanation could facilitate making the right decision 
where doubt exists. 

F2 should be selected if a person is frequently or continuously exposed to the haz- 
ard. It is irrelevant whether the same or different persons are exposed to the hazard 
on successive exposures, e.g. for the use of lifts. The frequency parameter should be 
chosen according to the frequency and duration of access to the hazard. 
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Where the demand on the safety function is known by the designer, the frequency 
and duration of this demand can be chosen instead of the frequency and duration of 
access to the hazard. In this Standard, the frequency of demand on the safety func- 
tion is assumed to be more than once per year. 

The period of exposure to the hazard should be evaluated on the basis of an aver- 
age value which can be seen in relation to the total period of time over which the equip- 
ment is used. For example, if it is necessary to reach regularly between the tools of 
the machine during cyclic operation in order to feed and move work pieces, then F2 
should be selected. If access is only required from time to time, then Fl should be 
selected. 

NOTE : In case of no other justification F2 should be chosen, if the frequency is 
higher than once per hour. 

A.2.3 Possibility of avoiding the hazard PI and P2 

It is important to know whether a hazardous situation can be recognized and avoided 
before leading to an accident. For example, an important consideration is whether the 
hazard can be directly identified by its physical characteristics, or recognized only by 
technical means, e.g. indicators. Other important aspects which influence the selec- 
tion of parameter P include, for example: 

— operation with or without supervision; 

— operation by experts or non-professionals; 

— speed with which the hazard arises (e.g. quickly or slowly); 

— possibilities for hazard avoidance (e.g. by escaping); 

— practical safety experiences relating to the process. 

When a hazardous situation occurs, PI should only be selected if there is a realis- 
tic chance of avoiding an accident or of significantly reducing its effect; P2 should be 
selected if there is almost no chance of avoiding the hazard. 

Figure A.l provides guidance for the determination of the safety-related PL, depend- 
ing on the risk assessment. The graph should be considered for each safety function. 
The risk assessment method is based on JIS B 9702 and should be used in accordance 
with JIS B 9700-1. 
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Risk parameters: 



1 starting point for evaluation of 
safety function's contribution to 
risk reduction 
L low contribution to risk reduction 
H high contribution to risk reduction 
PL r required performance level 



S severity of injury 

51 slight (normally reversible injury) 

52 serious (normally irreversible injury or death) 
F frequency and/or exposure to hazard 
Fl seldom-to-less-often and/or exposure time is short 
F2 frequent-to-continuous and/or exposure time is long 
P possibility of avoiding hazard or limiting harm 

PI possible under specific conditions 

P2 scarcely possible 

Figure A.l Risk graph for determining required PL r for safety function 
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Annex B (informative) 
Block method and safety-related block diagram 



B.l Block method 

The simplified approach requires a block-oriented logical representation of the 
SRP/CS. The SRP/CS should be separated into a small number of blocks according to 
the following: 

— blocks should represent logical units of the SRP/CS related to the execution of the 
safety function; 

— different channels performing the safety function should be separated into differ- 
ent blocks — if one block is no longer able to perform its function, the execution of 
the safety function through the blocks of the other channel should not be affected; 

— each channel may consist of one or several blocks — three blocks per channel in the 
designated architectures, input, logic and output, is not an obligatory number, but 
simply an example for a logical separation inside each channel; 

— each hardware unit of the SRP/CS should belong to exactly one block, thus allow 7 - 
ing for the calculation of the MTTF d of the block based on the MTTF d of the hard- 
ware units belonging to the block (e.g. by failure mode and effects analysis or the 
parts count method, see Annex D,l); 

— hardware units only used for diagnostics (e.g. test equipment) and which do not 
affect the execution of the safety function in the different channels when they fail 
dangerously, may be separated from hardware units necessary for the execution 
of the safety function in the different channels. 

NOTE : For the purposes of this Standard, "blocks" do not correspond to functional 
blocks or reliability blocks, 

B.2 Safety-related block diagram 

The blocks defined by the block method may be used to graphically represent the 
logical structure of the SRP/CS in a safety-related block diagram. For such a graphi- 
cal representation, the following may be of guidance: 

— the failure of one block in a series alignment of blocks leads to the failure of the 
whole channel (e.g. if one hardware unit in one channel of the SRP/CS fails dan- 
gerously, the whole channel might not be able to execute the safety function any 
longer); 

— only the dangerous failure of all channels in a parallel alignment leads to the loss 
of the safety function (e.g. a safety function performed by several channels is ex- 
ecuted as long as at least one channel has no failure); 

— blocks used only for testing purposes and which do not affect the execution of the 
safety function in the different channels when they fail dangerously may be sepa- 
rated from blocks in the different channels. 

See figure B.l. for an example. 
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II and 01 build up the first channel (series alignment); while 12, L and 02 build up the second 
channel (series alignment), with both channels executing the safety function redundantly (parallel 
alignment). T is only used for testing. 



Key 

II, 12 

L 

01, 02 

T 



input devices, e.g. sensor 

logic 

output devices, e.g. main contactor 

testing device 

Figure B.l Example of safety-related block diagram 
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Annex C (informative) 

Calculating or evaluating MTTFd values for 
single components 

C.l General 

This Annex gives several methods for calculating or evaluating MTTFd values for 
single components: the method given in C.2 is based on the respect of good engineer- 
ing practices for the different kinds of components; that given in C.3 is applicable to 
hydraulic components; C.4 provides a means of calculating the MTTFd of pneumatic, 
mechanical and electromechanical components from Bio (see C.4.1); C.5 lists MTTFd 
values for electrical components. 

C.2 Good engineering practices method 

If the following criteria are met, the MTTFd or Bmi value for a component can be 
estimated according to table C.l. 

a) The components are manufactured according to basic and well-tried safety prin- 
ciples in accordance with ISO 13849-2, or the relevant standard (see table C.l) 
for the design of the component (confirmation in the data sheet of the component). 

NOTE : This information can be found in the data sheet of the component manu- 
facturer, 

b) The manufacturer of the component specifies the appropriate application and 
operating conditions for the user. 

c) The design of the SRP/CS fulfils the basic and well-tried safety principles accord- 
ing to ISO 13849-2, for the implementation and operation of the component. 

C.3 Hydraulic components 

If the following criteria are met, the MTTFd value for a single hydraulic component, 
e.g. valve, can be estimated at 150 years. 

a) The hydraulic components are manufactured according to basic and well-tried safety 
principles in accordance w T ith ISO 13849-2. tables C.l and C.2, for the design of 
the hydraulic component (confirmation in the data sheet of the component). 

NOTE : This information can be found in the data sheet of the component manu- 
facturer, 

b) The manufacturer of the hydraulic component specifies the appropriate applica- 
tion and operating conditions for the user. The SRP/CS manufacturer shall pro- 
vide information pertaining to his responsibility to apply the basic and well-tried 
safety principles according to ISO 13849-2, tables C.l and C.2, for the implemen- 
tation and operation of the hydraulic component. 

But if either a) or b) is not achieved, the MTTFd value for the single hydraulic com- 
ponent has to be given by the manufacturer. 
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Table C.l International Standards, JISs and other standards dealing 
with MTTFa or Bwa for components 





Basic and well-tried safety 

principles according 1 to 

ISO 13849-2:2003 


Other relevant 
standards 


Typical, values: 

MTTFd (years) 

Biod (cycles) 


Mechanical components 


Tables A. 1 and A.2 


- 


MTTF d - 150 


Hydraulic components 


Tables C.l and C.2 


JIS B 8361 

EN 982 


MTTFd- 150 


Pneumatic components 


Tables B.l and B.2 


JIS B 8370 
EN 983 


Z?iod = 20 000 000 


Relays and contactor 
relays with small load 
(mechanical load) 


Tables D.l and D. 2 


EN 50205 
IEC 61810 series 
JIS C 8201 series 


fiiod'20 000 000 


Relays and contactor 
relays with maximum load 


Tables D.l and D.2 


EN 50205 
IEC 61810 series 
JIS C 8201 series 


i*iod = 400 000 


Proximity switches w r ith 
small load 
(mechanical load) 


Tables D.l and D.2 


JIS C 8201 series 
JIS B 9710 


#,.od=20 000 000 


Proximity switches with 
maximum load 


Tables D.l and D.2 


JIS C 8201 series 
JIS B 9710 


tfiod = 400 000 


Contactors with small load 
(mechanical load) 


Tables D.l and D.2 


JIS C 8201 series 


ifiod^OOOOOOO 


Contactors with nominal 
load 


Tables D.l and D.2 


JIS C 8201 series 


tfi M =2 000 000 


Position switches 
independent of load at 


Tables D.l and D.2 


JIS C 8201 series 
JIS B 9710 


tf 10fi = 20OOOOO0 


Position switches (with 
separate actuator, 
guard-locking) 
independent of load al 


Tables D.l and D.2 


JIS C 8201 series 
JIS B 9710 


£,od=2 000 000 


Emergency stop devices 
independent of the load a) 


Tables D.l and D.2 


JIS C 8201 series 
JIS B 9703 


tfiod=100 000 


Emergency stop devices 
with maximum operational 
demands a) 


Tables D.l and D.2 


JIS C 8201 series 
JIS B 9703 


tf]yd-6 050 


Push buttons 

(e.g. enabling switches 

independent of the load) a) 


Tables D.l and D.2 


JIS C 8201 series 


/7 10d = 1.00 000 


For the definition and use of Ihm, see C.4. 

NOTE 1 Siod is estimated as two times /?i (50 % dangerous failure). 

NOTE 2 "Small load" means, for example, 20 % of the rated value (for more information, see ISO 
13849-2). 

Note aj If fault exclusion for direct opening action is possible. 
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C.4 MTTFa of pneumatic, mechanical and electromechanical components 

C.4.1 General 

For pneumatic, mechanical and electromechanical components (pneumatic valves, 
relays, contactors, position switches, cams of position switches, etc.) it may be diffi- 
cult to calculate the mean time to dangerous failure (MTTF d for components), which 
is given in years and which is required by this Standard. Most of the time, the manu- 
facturers of these kinds of components only give the mean number of cycles until 10 % 
of the components fail dangerously (/?iod)- This clause gives a method for calculating 
an MTTFd for components by using Bi M or T (lifetime) given by the manufacturer re- 
lated closely to the application dependent cycles. 

If the following criteria are met, the MTTFd value for a single pneumatic, electro- 
mechanical or mechanical component can be estimated according to C.4.2. 

a) The components are manufactured according to basic safety principles in accor- 
dance with ISO 13849-2, table B.l or table D.l, for the design of the component 
(confirmation in the data sheet of the component). 

NOTE : This information can be found in the data sheet of the component manu- 
facturer. 

b) The components to be used in category 1, 2, 3 or 4 are manufactured according to 
well-tried safety principles in accordance with ISO 13849-2, table B.2 or table D.2, 
for the design of the component (confirmation in the data sheet of the component). 

NOTE : This information can be found in the data sheet of the component manu- 
facturer. 

c) The manufacturer of the component specifies the appropriate application and 
operating conditions for the user. The SRP/CS manufacturer shall provide infor- 
mation pertaining to his responsibility to fulfil the basic safety principles accord- 
ing to ISO 13849-2, table B.l or table D.l, for the implementation and operation 
of the component. For category 1, 2, 3 or 4 7 the user has to be informed of his re- 
sponsibility to fulfil the well-tried safety principles according to ISO 13849-2, table 
B.2 or table D.2, for the implementation and operation of the component. 

C.4.2 Calculation of MTTFd for components from Bioa 

The mean number of cycles until 10 % of the components fail dangerously (Bioa) l} 
should be determined by the manufacturer of the component in accordance with rel- 
evant product standards for the test methods (e.g. JIS C 8201-5-1, ISO 19973 series, 
IEC 61810 series). The dangerous failure modes of the component have to be defined, 
e.g. sticking at an end position or change of switching times. If not all the components 
fail dangerously during the tests (e.g. seven components tested, only five fail danger- 
ously), an analysis taking into account the components that were not dangerously failed 
components should be performed. 

With #iod 1! and n op , the mean number of annual operations, MTTFd for components 
can be calculated as 

Note 1J If the dangerous fraction of Biq is not given, 50 % of B\q may be used, so 
Biod =s 2BiQ is recommended. 
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__B, 



MTTF. = '^— (CD 



0-l*»cp 



where 



^*-V^°^ (C.2) 

with the following assumptions having been made on the application of the component: 

/iop : the mean operation, in hours per day; 

d 0? : the mean operation, in days per year; 

/cycle : the mean time between the beginning of two suc- 
cessive cycles of the component, (e.g. switching of 
a valve) in seconds per cycle. 

The operation time of the component is limited to 7'iod, the mean time until 10 % of 
the components fail dangerously. 

T [[)d =^~ • (C.3) 

77 cp 

NOTE : Explanation of the formulas in C.4.2. 

Z?iod, the mean number of cycles till 10 % of the components fail dangerously, can 
be converted to T Wd , the mean time until 10 % of the components fail dangerously, by 
using /t op , the mean number of annual operations: 

T lM = — --(C.4) 

"op 

The reliability methods in this Standard assume that the failure of components is 
distributed exponentially over time: F(t)= l-exp(-A dr ). For pneumatic and electrome- 
chanical components, a weibull distribution is more likely. But if the operation time 
of the components is limited to the mean time until 10 % of the components fail dan- 
gerously (7iod)> then a constant dangerous failure rate (A d ) over this operation time can 
be estimated as 

1 0.1 x* 
A d = — = ^— ^ (C.5) 

T R 

i l0d ^lOd 

Equation (C.5) takes into account that with a constant failure rate, 10 % of the com- 
ponents in the assumed application fail after T 10d [years], corresponding to J?m d [cycle]. 
To be exact: 

i r (r l0 d) = l-exp(-/ d r lod ) = 10% means x d = — — 1 = — -(C.6) 

'lOd Aod Aod 

With MTTFa= 1/Ad for exponential distributions, this yields 

MTTF d =-^= Bm (C.7) 

0.1 0.1x« op 
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C.4.3 Example 

For a pneumatic valve, a manufacturer determines a mean value of 60 million cycles 
as Z?iod. The valve is used for two shifts each day on 220 operation days a year. The 
mean time between the beginning of two successive switching of the valve is estimated 
as 5 s. This yields the following values: 

— d op of 220 days per year; 

— /x op of 16 h per day; 

— /cycle of 5 s per cycle; 

— Z?iod of 60 million cycles. 

With these input data the following quantities can be calculated: 

220 days/year x 1 6 h/day x 3 600 s/h « c -> , n 6 , , try n , 

^ = J —^. 1 ^2.^3x10 cycles/year .... (C.8) 

up 5 s/cycle 

60 xlO 6 cycles ^ n 

^ =t- » in6 , ; = 23.7yeare - (C.9) 

2.53x10 cycles/year 

MTTF d = l 3 - ? y ears = 237 years (CIO) 

This will give an MTTFd for the component "high" according to table 5. These as- 
sumptions are only valid for a restricted operation time of 23.7 years for the valve. 

C.5 MTTF d data of electrical components 

C.5.1 General 

Tables C.2 to C,7 indicate some typical average values of MTTFd for electronic com- 
ponents. The data are extracted from the SN 29500 series database j51] . All data are 
of general type. Various databases available (see the database list in the Bibliogra- 
phy) which present MTTFd values for various electronic components. If the designer 
of an SRP/CS has other, reliable, specific data on the components used, then the used 
of that specific data instead is highly recommended. 

The values given in tables C.2 to C.7 are valid for a temperature of 40 °C, nominal 
load for current and voltage. 

In the MTTF column of the tables, the values from SN 29500 are for generic com- 
ponents for all possible failure modes which are not necessarily dangerous failures. In 
the MTTFd column, it is typically assumed that not all failures modes lead to a dan- 
gerous failure. This depends mainly on the application. A precise way of determin- 
ing the "typical" MTTF d for components is to carry out an FMEA. Some components, 
e.g. transistors used as switches, can have short circuits or interruptions as failure. 
Only one of these two modes can be dangerous; therefore the "remarks" column assumes 
only 50 % dangerous failure, which means that the MTTF d for components is twice the 
given MTTF value. For use where there is doubt, a worst case MTTFd for components 
is given in the "worst case" MTTFd column, where the safety margin is 10. 
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C.5.2 Semiconductors 

See tables C.2 and C.3. 



Table C.2 Transistors (used as switches) 



Transistor 


Example 


MTTF for 

components 

years 


MTTFa for components 
years 


Remark 


Typical 


Worst case 


Bipolar 


T018, T092, 
SOT23 


34 247 


68 493 


6 849 


50 % dangerous failure 


Bipolar, low power 


T05, T039 


5 708 


11416 


1 142 


50 % dangerous failure 


Bipolar, power 


T03, TO220 7 
D-Pack 


1941 


3 881 


388 


50 % dangerous failure 


FET 


Junction MOS 


22 831 


45 662 


4 566 


50 % dangerous failure 


MOS, power 


T03, TO220, 
D-Pack 


1 142 


2 283 


228 


50 % dangerous failure 



Table C.3 Diodes, power semiconductors and integrated circuits 



Diode 


Example 


MTTF for 

components 

years 


MTTFd for components 
years 


Remark 


Typical 


Worst case 


General purpose 


_ 


114 155 


228 311 


22 831 


50 % dangerous failure 


Suppressor 


- 


15 981 


31963 


3 196 


50 % dangerous failure 


Zener diode P toL < 1 W 


- 


114 155 


228 311 


22 831 


50 % dangerous failure 


Rectifier diodes 


- 


57 078 


114 155 


11 416 


50 % dangerous failure 


Rectifier bridges 


- 


11415 


22 831 


2 283 


50 % dangerous failure 


Thy r is tors 


- 


2 283 


4 566 


457 


50 % dangerous failure 


Triacs, Diacs 


- 


1 484 


2 968 


297 


50 % dangerous failure 


Integrated circuits 
(programmable and 
non-programmable) 


Use manufactu 


rer's data 




50 % dangerous failure 
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C.6 Passive components 

See tables C.4 to C.7. 



Table C.4 Capacitors 



Capacitor 


Example 


MTTF for 

components 

years 


MTTFd for components 
years 


Remark 


Typical 


Worst case 


Standard, no power 


KS, KP, KC, KT ; 
MKT, MKC, MKP, 
MKU, MP, MKV 


57 078 


114 155 


11416 


50 % dangerous 
failure 


Ceramic 


— 


22 831 


45 662 


4 566 


50 % dangerous 
failure 


Aluminium electrolytic 


Non-solid electrolyte 


22 831 


45 662 


4 566 


50 % dangerous 
failure 


Aluminium electrolytic 


Solid electrolyte 


37 671 


75 342 


7 534 


50 % dangerous 
failure 


Tantalum electrolytic 


Non-solid electrolyte 


11415 


22 831 


2 283 


50 % dangerous 
failure 


Tantalum electrolytic 


Solid electrolyte 


114 155 


228 311 


22 831 


50 % dangerous 
failure 



Table C.5 Resistors 



Resistor 


Example 


MTTF for 

components 

years 


MTTF d for components 
years 


Remark 


Typical 


Worst case 


Carbon film 


— 


114 155 


228 311 


22 831 


50 % dangerous 
failure 


Metal film 


— 


570 776 


1 141 552 


114 155 


50 % dangerous 
failure 


Metal oxide and wire -wound 


- 


22 831 


45 662 


4 566 


50 % dangerous 
failure 


Variable 


— 


3 767 


7 534 


753 


50 % dangerous 
failure 
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Table C.6 Inductors 



Inductor 


Example 


MTTF for 

components 

years 


MTTFd for components 
years 


Remark 


Typical 


Worst case 


For MC application 


— 


37 671 


75 342 


7 534 


50 % dangerous 
failure 


Low frequency inductors 
and transformers 


_ 


22 831 


45 662 


4 566 


50 % dangerous 
failure 


Main transformers and 
transformers for switched 
modes and power supplies 


" 


11415 


22 831 


2 283 


50 % dangerous 
failure 



Table C.7 Optoconplers 



Optoeouplers 


Example 


MTTF for 

components 

years 


MTTF d for components 

years 


Remark 


Typical 


Worst case 


Bipolar output 


SFH 610 


7 648 


15 296 


1 530 


50 % dangerous 
failure 


FET output 


LH 1056 


2 854 


5 708 


571 


50 % dangerous 
failure 



PROTECTED BY COPYRIGHT 



63 
B 9705-1 : 2011 (ISO 13849-1 : 2006) 

Annex D (Informative) 

Simplified method for estimating MTTFa for 
each channel 



D.l Parts count method 

Use of the "parts count method" serves to estimate the MTTFa for each channel sepa- 
rately. The MTTFa values of all single components which are part of that channel are 
used in this calculation. 

The general formula is 



1 



MTTR 



y_JL_ = y 



, =1 MTTF dj 



(D.l) 



where 

MTTF d 
MTTFdi, MTTF d j 



for the complete channel; 

the MTTFd of each component which has a 
contribution to the safety function 

The first sum is over each component separately; the second sum is an equivalent, 
simplified form where all rij identical components with the same MTTFdj are grouped 
together. 

Example : 

1/MTTFdi = 1/30 + 1/30 + 1/30 

nj/MTTF dj = 3/30= 1/10 

The example given in table D.l gives an MTTFd of the channel of 21.4 years, which 
is "medium" according to table 5. 

Table D.l Example of the parts list of a circuit board 



J 


Component 


Units 


MTTF dj 

Worst case 

years 


l/MTTF (Jj 

Worst case 

l/year 


/fj/MTTF dj 

Worst case 

l/year 


1 


Transistors, bipolar, low power (see table C. 2) 


2 


1 142 


0.000 876 


0.001 752 


2 


Resistor, carbon film (see table C.5) 


5 


22 831 


0.000 044 


0.000 219 


3 


Capacitor, standard, no power (see table C.4) 


4 


11416 


0.000 088 


0.000 350 


4 


Relay (with small load, see table C.l) 
(B m = 2Q 000 000 cycles, /i op = 633 600) 


4 


315.66 


0.003 168 


0.012 672 


5 


Contactor (with nominal load, see table C.l) 
(ffi.od = 2 000 000 cycles, n op = 633 600) 


1 


31.57 


0.031676 


0.031 676 


2(nj/MTTF dj ) 








0.046 669 


MTTF d = 1/2 (»j/MTTF ai ) [years] 


21.43 



PROTECTED BY COPYRIGHT 



64 

B 9705-1 : 2011 (ISO 13849-1 ; 2006) 

NOTE 1 This method is based on the presumption that a dangerous failure of any 
component within a channel leads to dangerous failure of the channel. 
The MTTFd calculation illustrated by table D.l is based upon this. 

NOTE 2 In this example, the main influence comes from the contactor. The chosen 
values for MTTF d and B wd for this example are based on Annex C. For 
the example application <r/ op = 220 days/year, /? op = 8h/day and f cyc i e = 
10 s/cycle is assumed, giving ;?- op = 633 600 cycles/year. In general, taking 
manufacturer's values for MTTF d and # 10 d will lead to a much better 
result, that is, a higher MTTF d for the channel. 

D.2 MTTFd for different channels, symmetrization of MTTF d for each channel 
The designated architectures of 6.2 assume that for different channels in a redun- 
dant SRP/CS the values for MTTF d for each channel are the same. This value per 
channel should be input for figure 5. 

If the MTTFa of the channels differ, there are two possibilities: 

— as a worst case assumption, the lower value should be taken into account; 

— Formula D.2 can be used as an estimation of a value that can be substituted for 
MTTFd for each channel: 



MTTF, 



MTTF dCI +MTTF dC2 



1 



MTTF dC1 



MTTF, 



(D.2) 



where MTTFaci and MTTF d c2 are the values for two different redundant channels. 
Example : 

One channel has an MTTFdci = 3 years, the other channel has an MTTF d c2= 100 years, 
then the resulting* MTTFd = 66 years for each channel. This means a redundant sys- 
tem with 100 years MTTFd in one channel and 3 years MTTFd in the other channel is 
equal to a system where each channel has an MTTFd of 66 years. 

A redundant system with two channels and different MTTFd values for each chan- 
nel can be substituted by a redundant system with identical MTTF d in each channel 
by using the above formula. This procedure is necessary for the correct use of figure 5. 

NOTE : This method assumes independent parallel channels. 
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Annex E (informative) 

Estimates for diagnostic coverage (DC) for functions 

and modules 



E.l Examples of diagnostic coverage (DC) 
See table E.l 

Table E.l Estimates for diagnostic coverage (DC) 



Measure 


DC 


EI 


Input device 


1 


Cyclic test stimulus by dynamic change of the input signals 


90 % 


2 


Plausibility check, e.g. use of normally open and normally 
closed mechanically linked contacts 


99 % 


3 


Cross monitoring of inputs without dynamic test 


% to 99 %, depending on how 
often a signal change is done by 
the application 


4 


Cross monitoring of input signals with dynamic test if short 
circuits are not detectable (for multiple I/O) 


90% 


5 


Cross monitoring of input signals and intermediate results 
within the logic (L), and temporal and logical software monitor 
of the program flow and detection of static faults and short 
circuits (for multiple I/O) 


99% 


6 


Indirect monitoring (e.g. monitoring by pressure switch, 
electrical position monitoring of actuators) 


90 % to 99 %, depending on the 
application 


7 


Direct monitoring (e.g. electrical position monitoring of control 
valves, monitoring of electromechanical devices by mechanically 
linked contact elements) 


99 % 


8 


Fault detection by the process 


% to 99 % } depending on the 
application; this measure alone 
is not sufficient for the required 
performance level V! 


9 


Monitoring some characteristics of the sensor (response time, 
range of alalogue signals, e.g. electrical resistance, capacitance) 


60 % 


EL 


Logic 


1 


Indirect monitoring (e.g. monitoring by pressure switch, 
electrical position monitoring of actuators) 


90 % to 99 %, depending on the 
application 


2 


Direct monitoring (e.g. electrical position monitoring of control 
valves, monitoring of electromechanical devices by mechanically 
linked contact elements) 


99 % 


3 


Simple temporal time monitoring of the logic (e.g. timer as 
watchdog, where trigger points are within the program of the 
logic) 


60 % 


4 


Temporal and logical monitoring of the logic by the watchdog, 
where the test equipment does plausibility checks of the 
behaviour of the logic 


90 % 



PROTECTED BY COPYRIGHT 



66 

B 9705-1 : 2011 (ISO 13849-1 : 2006) 



Table E.l (continued) 



Measure 


DC 


5 


Start-up self-tests to detect latent faults in parts of the logic 
(e.g. program and data memories, input/output ports, interfaces) 


90 % (depending on the testing 
technique) 


6 


Checking the monitoring device reaction capability (e.g. 
watchdog) by the main channel at start-up or whenever the 
safety function is demanded or whenever an external signal 
demands it, through an input facility 


90 % 


7 


Dynamic principle (all components of the logic are required to 
change the state ON-OFF-ON when the safety function is 
demanded), e.g. interlocking circuit implemented by relays 


99% 


8 


Invariable memory: signature of one word (8 bit) 


90 % 


9 


Invariable memory: signature of double word (16 bit) 


99% 


10 


Variable memory: RAM-test by use of redundant data e.g. flags, 
markers, constants, timers and cross comparison of these data 


60 % 


11 


Variable memory: check for readability and write ability of used 
data memory cells 


60% 


12 


Variable memory: RAM monitoring with modified Hamming 
code or RAM' self-test (e.g. "galpat" or "Abraham") 


99 % 


13 


Processing unit: self-test by software 


60 % to 90 % 


14 


Processing unit: coded processing 


90 % to 99 % 


15 


Fault detection by the process 


% to 99 %, depending on the 
application; this measure alone 
is not sufficient for the required 
performance level K e"! 


EO 


Output device 


1 


Monitoring of outputs by one channel without dynamic test, 


% to 99 % depending on how 
often a signal change is done by 
the application 


2 


Cross monitoring of outputs without dynamic test 


% to 99 % depending on how 
often a signal change is done by 
the application 


3 


Cross monitoring of output signals with dynamic test without 
detection of short circuits (for multiple I/O) 


90 % 


4 


Cross monitoring of output signals and intermediate results 
within the logic (L) and temporal and logical software monitor 
of the program flow and detection of static faults and short 
circuits (for multiple I/O) 


99 % 


5 


Redundant shut-off path with no monitoring of the actuator 


0% 


6 


Redundant shut-off path with monitoring of one of the actuators 
either by logic or by test equipment 


90% 


7 


Redundant shut-off path with monitoring of the actuators by 
logic and test equipment 


99% 


8 


Indirect monitoring (e.g. monitoring by pressure switch, 
electrical position monitoring of actuators) 


90 % to 99 %, depending on the 
application 
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Table E.l (concluded) 



Measure 


DC 


9 


Fault detection by the process 


% to 99 %, depending on the 
application; this measure alone 
is not sufficient for the required 
performance level "e"! 


10 


Direct monitoring (e.g. electrical position monitoring of control 
valves, monitoring of electromechanical devices by mechanically 
linked contact elements) 


99% 


NOTE 1 For additional estimations for DC, see, e.g., IEC 61508-2, tables A.2 to A. 15. 

NOTE 2 If medium or high DC is claimed for the logic, at least one measure for variable memor3% 
invariable memory and processing unit with each DC at least 60 % has to be applied. 
There may also be measures that used other than those listed in this table. 



E.2 Estimation of average DC (DC avg ) 

In many systems, several measures for fault detection might be used, These mea- 
sures could check different parts of the SRP/CS and have different DC. For an esti- 
mation of the PL according to figure 5 only one, average, DC for the whole SRP/CS 
performing the safety function is applicable. 

DC may be determined as the ratio between the failure rate of detected dangerous 
failures and the failure rate of total dangerous failures. According to this definition 
an average diagnostic coverage DC HVg is estimated by the following formula: 



DC, 



DC, 



nr - MTTF a. 

-avg | 



MTTR 



DC N 

mttf" 



1 



MTTF dl MTTF d2 



■ + ,.. + - 



1 



(E.l) 



MTTF,, 



Here all components of the SRP/CS without fault exclusion have to considered and 
summed up. For each block, the MTTFa and the DC are taken into account. DC in 
this formula means the ratio of the failure rate of detected dangerous failures of the 
part (regardless of the measures used to detect the failures) to the failure rate of all 
dangerous failures of the part. Thus, DC refers to the tested part and not to the testing 
device. Components without failure detection (e.g. which are not tested) have DC = 
and contribute only to the denominator of DC avg . 
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Annex F (informative) 
Estimates for common cause failure (CCF) 



F.l Requirements for CCF 

A comprehensive procedure for measures against CCF for sensors/actuators and 
separately for control logic is given, for example, in IEC 61508-6, Annex D. Not all 
measures given therein are applicable to the machinery site. The most important mea- 
sures are given here. 

NOTE ; In this Standard, it is assumed that for redundant systems a ^-factor ac- 
cording to IEC 61508-6, Annex D should be less than or equal to 2 %. 

F.2 Estimation of effect of CCF 

This quantitative process should be passed for the whole system. Every part of the 
safety-related parts of the control system should be considered. 

Table F.l lists the measures and contains associated values, based, on engineering 
judgement, which represent the contribution each measure makes in the reduction of 
common cause failures. 

For each listed measure, only the full score or nothing can be claimed. If a mea- 
sure is only partly fulfilled, the score according to this measure is zero. 

Table F.l Scoring process and quantification of measures against CCF 



No. 


Measure against CCF 


Score 


1 


Separation/Segregation 






Physical separation between signal paths: 
separation in wiring/piping, 
sufficient clearances and creepage distances on printed-circuit boards. 


1.5 


2 


Diversity 






Different technologies/design or physical principles are used, for example: 

first channel programmable electronic and second channel hardwired, 

kind of initiation, 

pressure and temperature, 
Measuring of distance and pressure, 

digital and analogue. 
Components of different manufactures. 


20 


3 


Design/application/experience 




3.1 


Protection against over-voltage, over-pressure, over-current, etc. 


15 


3.2 


Components used are well-tried. 


5 


4 


Asse ssment/an aly sis 






Are the results of a failure mode and effect analysis taken into account to avoid 
common-cause-failures in design. 


5 
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Table F.l (concluded) 



No. 


Measure against CCF 


Score 


5 


Competence/training 






Have designers/maintainers been trained to understand the causes and consequences 
of common cause failures? 


5 


6 


Environmental 




6.1 


Prevention of contamination and electromagnetic compatibility (EMC) against CCF 

in accordance with appropriate standards. 

Fluidic systems: filtration of the pressure medium, prevention of dirt intake, 

drainage of compressed air, e.g. in compliance with the component manufacturers' 

requirements concerning purity of the pressure medium. 

Electric systems: Has the system been checked for electromagnetic immunity, e.g. as 

specified in relevant standards against CCF? 

For combined fluidic and electric systems, both aspects should be considered. 


25 


6.2 


Other influences 

Have the requirements for immunity to all relevant environmental influences such 
as, temperature, shock, vibration, humidity (e.g. as specified in relevant standards) 
been considered? 


10 




Total 


(max. 

achievable 

100) 


Total score 


Measures for avoiding CCF A] 


65 or better 


Meets the requirements 


Less than 65 


Process failed =*■ choose additional measures 


Note a} Where technological measures are not relevant, points attached to this column can be 
considered in the comprehensive calculation. 
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Annex G (informative) 
Systematic failure 



G.l General 

ISO 13849-2 gives a comprehensive list of measures against systematic failure which 
should be applied, such as basic and well-tried safety principles. 

G.2 Measures for the control of systematic failures 
The following measures should be applied. 

— Use of de-energization (see ISO 13849-2) 

The safety-related parts of the control system (SRP/CS) should be designed so 
that with loss of its power supply a safe state of the machine can be achieved or 
maintained. 

— Measures for controlling the effects of voltage breakdown, voltage variations, over- 
voltage, undervoltage 

SRP/CS behaviour in response to voltage breakdown, voltage variations, over- 
voltage, and undervoltage conditions should be predetermined so that the SRP/CS 
can achieve or maintain a safe state of the machine (see also JIS B 9960-1 and 
IEC 61508-7, A.8). 

— Measures for controlling or avoiding the effects of the physical environment (for 
example, temperature, humidity, water, vibration, dust, corrosive substances, elec- 
tromagnetic interference and its effects) 

SRP/CS behaviour in response to the effects of the physical environment should 
be predetermined so that the SRP/CS can achieve or maintain a safe state of the 
machine (see also, for example, JIS C 0920, JIS B 9960-1). 

— Program sequence monitoring shall be used with SRP/CS containing software in 
order to detect defective program sequences 

A defective program sequence exists if the individual, elements of a program (e.g. 
software modules, subprograms or commands) are processed in the wrong sequence 
or period of time or if the clock of the processor is faulty (see IEC 61508-7, A.9). 

— Measures for controlling the effects of errors and other effects arising from any data 
communication process (see IEC 61508-2, 7.4.8) 

In addition, one or more of the following measures should be applied, taking into 
account the complexity of the SRP/CS and its PL: 

— failure detection by automatic tests; 

— tests by redundant hardware; 

— diverse hardware; 

— operation in the positive mode; 

— mechanically linked contacts; 
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— direct opening action; 

— oriented mode of failure; 

— over-dimensioning by a suitable factor, where the manufacturer can demonstrate 
that derating will improve reliability— whe re over-dimensioning is appropriate, an 
over-dimensioning factor of at least 1.5 should be used. 

See also ISO 13849-2, D.3. 

G.3 Measures for avoidance of systematic failures 
The following measures should be applied. 

— Use of suitable materials and adequate manufacturing 

Selection of material, manufacturing methods and treatment in relation to, e.g. 
stress, durability, elasticity, friction, wear, corrosion, temperature, conductivity, 
dielectric rigidity. 

— Correct dimensioning and shaping 

Consideration of, e.g. stress, strain, fatigue, temperature, surface roughness, tol- 
erances, manufacturing. 

— Proper selection, combination, arrangements, assembly and installation of compo- 
nents, including cabling, wiring and any interconnections 

Apply appropriate standards and manufacturer's application notes, e.g. catalogue 
sheets, installation instructions, specifications, and use of good engineering prac- 
tice. 

— Compatibility 

Use components with compatible operating characteristics. 

— Withstanding specified environmental conditions 

Design the SRP/CS so that it is capable of working in all expected environments 
and in any foreseeable adverse conditions, e.g. temperature, humidity, vibration 
and electromagnetic interference (EMI) (see ISO 13849-2, D.2). 

— Use of components designed to an appropriate standard and having well-defined 
failure modes 

To reduce the risk of undetected faults by the use of components with specific 
characteristics (see IEC 61508-7, B.3.3). 

In addition, one or more of the following measures should be applied, taking into 
account the complexity of the SRP/CS and its PL. 

— Hardware design review (e.g. by inspection or w 7 alk-through) 

To reveal by reviews and analysis discrepancies between the specification and 
implementation (see IEC 61508-7, B.3.7 and B.3.8). 

— Computer-aided design tools capable of simulation or analysis 

Perform the design procedure systematically and include appropriate automatic 
construction elements that are already available and tested (see IEC 61508-7, 
B.3.5). 
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— Simulation 

Perform a systematic and complete inspection of an SRP/CS design in terms of 
both the functional performance and the correct dimensioning of their components 
(see IEC 61508-7, B.3.6). 

G.4 Measures for avoidance of systematic failures during SRP/CS integra- 
tion 

The following measures should be applied during integration of the SRP/CS: 

— functional testing; 

— project management; 

— documentation. 

In addition, black-box testing should be applied, taking into account the complex- 
ity of the SRP/CS and its PL. 
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Annex H (Informative) 

Example of combination of several safety-related parts 

of the control system 



Figure H.l is a schematic diagram of the safety-related parts providing one of the 
functions controlling a machine actuator. This is not a functional/working diagram 
and is included only to demonstrate the principle of combining categories and tech- 
nologies in this one function. 

The control is provided through electronic control logic and a hydraulic directional 
valve. The risk is reduced by an AQPD, which detects access to the hazardous situa- 
tion and prevents start-up of the fluidic actuator when the light beam is interrupted. 

The safety-related parts which provide the safety function are; AOPD, electronic 
control logic, hydraulic directional valve and the interconnecting means. 

These combined safety-related parts provide a stop function as a safety function. 
As the AOPD is interrupted, the outputs transfer a signal to the electronic control logic, 
which provides a signal to the hydraulic directional valve to stop the hydraulic flow 
as the output of the SRP/CS. At the machine, this stops the hazardous movement of 
the actuator. 

This combination of safety-related parts creates a safety function demonstrating the 
combination of different categories and technologies based on the requirements given 
in clause 6. Using the principles given in this Standard, the safety-related parts shown, 
in figure H.2 can be described as follows. 

— Category 2, PL = c for the electro-sensitive protective device (light barrier). To reduce 
the probability of faults this device uses well-tried safety principles; 

— Category 3, PL = d for the electronic control logic. To increase the level of safety 
performance of this electronic control logic, the structure of this SRP/CS is redun- 
dant and implements several fault detection measures such that it is able to de- 
tect most of single faults; 

— Category 1, PL = c for the hydraulic directional valve. The status of being well-tried 
is mainly application-specific. In this example, the valve is considered to be well- 
tried. In order to reduce the probability of faults, this device is comprised of well- 
tried components applied using well-tried safety principles and all application 
conditions are considered (see 6.2,4). 

NOTE 1 The position, size and layout of the interconnecting means have also 
to be taken into account. 

This combination leads with PL] ow = c and N] im = 2 to an overall performance level of 
PL = c (see 6.3). 

NOTE 2 In case of one fault in the category 1 or the category 2 parts of fig- 
ure H.2 there may be a loss of the safety function. 
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AOPD active optoelectronic protective device (e.g. light barrier), SRP/CS a : Category 2 

[Type 2 (JIS B 9704-1)], PL-c 
E electronic control logic, SRP/CS b : Category 3, PL=d 

F fluidics, SRP/CS C : Category 1, PL = c 

Fa fluidic actuator 

H hazardous movement 

Figure H.l Example — Block diagram explaining combination of SRP/CS 



PROTECTED BY COPYRIGHT 



** L 



^ O 



r i 



TE 



-** OTE 



SRP/CS^ 



AOPD 



Key 

AOPD 

E 

F 

I, 11, J2 

L, LI L2 



12 



75 
B 9705-1 : 2011 (ISO 13849-1 : 2006) 



I — H — I 



*> L2 



02 



SRP/CS* 



O 



SRP/CS„ 



active optoelectronic protective device (e.g. light barrier) 

electronic control logic 

fluid ics 

input devices, e.g. sensor 

logic 

O, 01, 02, OTE output devices, e.g. main contactor 
TE test equipment- 



Figure H.2 Substitution of figure H.l by designated architectures 
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Annex I (informative) 
Examples 



Ll General 

This Annex illustrates the use of the methods given in preceding annexes for iden- 
tifying safety functions and determining PL. The quantification of two widely used 
control circuits is given. For the stepwise procedure, see figure 3. 

Two different examples of control circuits, A and B are examined, see figure Ll and 
figure 1.3. Both illustrate the performance of the same safety function of the inter- 
locking of the guard door. The first example is built up as one channel of electrome- 
chanical components with high MTTFd values, while the second is made up of two 
channels — one electromechanical and the other programmable electronic — including 
tests, but made up of components with lower MTTFj. 

1.2 Safety function and required performance level (PL r ) 

For both examples, the safety function of the interlocking of a guard may be chosen 
as follows. 

The dangerous movement will be stopped when the guard door is opened (by de- 
energizing the power of the electrical motor). 

The risk parameters according to the risk graph method (see figure A.l) are the fol- 
lowing: 

— severity of injury, S=S2, serious; 

— frequency and/or exposure time to hazard, F = F1, seldom to less often and/or the 
exposure time is short; 

— possibility of avoiding the hazard, P = P1, possible under specific conditions. 

These decisions lead to a required performance level PL r of c. 

Determination of the preferred category: a performance level of c can be achieved 
typically by very reliable single-channel systems (category 1) or redundant architec- 
tures (category 2 or 3) (see figure 5 and clause 6). 

1.3 Example A, single-channel system 

1.3.1 Identification of safety -related parts 

All components contributing to the safety function are represented in figure Ll. 
Functional details not contributing to the safety function of interlocking (as start and 
stop switches) are omitted. 
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SW1A 



K1A 



A 



Key 






open 


c 


close 


M 


motor 


K1A 


contactor 



+ direct-current power source 

L alternative-current power source 



SW1A switch (NC) 
Figure 1.1 Control circuit A for performing safety function 

In this example, a door switch has normally closed contacts (but no fault exclusion 
is justified) and is connected to a contactor able to switch off the pow T er connection to 
the motor; 

- — one channel of electromechanical components; 

— switch SW1A has medium MTTF d ; 

— contactor K1A has low MTTF d . 

The chosen contactor in this example is a well-tried component when implemented 
according to ISO 13849-2. 

Thus the safety-related parts and their division into channels can be illustrated in 
a safety-related block diagram as shown in figure 1.2. 



SW1A 



K1A 



Key 

K1A contactor 

SW1A switch 

Figure 1.2 Safety-related block diagram identifying safety-related parts 

of Example A 



PROTECTED BY COPYRIGHT 



78 

B 9705-1 : 2011 (ISO 13849-1 : 2006) 



1.3.2 Quantification of MTTFa for each channel, DC avg , common cause failure, 
category, PL 

The values for MTTFd for each channel, DC av ^ and common cause failure are as- 
sumed to be estimated according to Annexes C, D, E and F, or to be given by the manu- 
facturer. The categories are estimated according to 6.2. 

— MTTF d 

The contactor K1A and the switch SW1A contribute to the MTTFd of the one chan- 
nel. The MTTFd,K.iA of 50 years and MTTFd,swiA of 20 years are assumed to be given 
by the manufacturer. The parts count method of D.l yields for the MTTFd of the 
one channel: 

11 111 0.07 

■(1.1) 



MTTF d MTTF SW1A MTTF K1A 20 years SOyeare years 

which leads to MTTFd- 14.3 years or "medium" for the channel according to 4.5.2, 
table 5. 

NOTE : If no information for K1A were available, a worst case assumption ac- 
cording to C.2 or C.4 could be made. 

— DC 

Because no testing is done in control circuit A, the DC = or "none" according 
to 4.5.3, table 6. 

— Category 

Although the preferred category for this circuit is category 1, the resulting MTTFd 
of the channel is "medium". This is an argument that only category B is reached 
by this design. 

Input data for figure 5: MTTFd for each channel is "medium" (14.3 years), DC avg is 
"none" and category is B. 

This may be interpreted as performance level b. 

This result does not match the required performance level c according to 1.2. The 
circuit thus has to be redesigned and re-evaluated until performance level c is reached, 
in order to meet the requirements for risk reduction of the example application of 1.2. 

1.4 Example B, redundant system 

1.4.1 Identification of safety-related parts 

All components contributing to the safety function are represented in figure 1.3. 
Functional details not contributing to the safety function of interlocking (as start and 
stop switches or delayed switching of K1B) are omitted. 
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programmable logic controller 
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current converter 
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motor 
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rotation sensor 





open 


c 


close 



C s stop function (standard) 

SIB safe impulse blocking 

K1B contactor 

SW1B switch (NC) 

SW2 switch (NO) 

+ direct -current power source 

L alternative-current power source 

Figure 1.3 Control circuit B to perform the safety function 

In this second example two channels providing redundancy are used. The first chan- 
nel, similarly to that in example A, uses a door switch having direct opening action 
and which is used in the positive mode of actuation. This door switch is connected to 
a contactor able to switch off the pow 7 er connection to the motor. In the second chan- 
nel additional (programmable) electronic components are used. A second door switch 
is connected to a programmable logic controller which can control the current converter 
to switch off the power connection to the motor: 

— redundant channels, one electromechanical and the other programmable electronic; 

— switch SW1B has positive mechanical action of the contacts, SW2 has medium 

MTTF d ; 

— contactor K1B has medium MTTF d , the chosen contactor in this example is not a 
well-tried component; 

— electronic components have medium MTTFd. 
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So the safety- related parts and their division into channels can be illustrated in a 
safety-related block diagram as shown in figure 1.4. 

NOTE : With respect to redundant diversity, requirements for software accord- 
ing to 4.6 for the PLC path are not considered relevant. 



SW1B 



K1B 



SW2 



PLC 



cc 



RS 



SW1B and K1B build up the first channel, SW2, PLC and CC build up the 
second channel; RS is oniv used to test the current converter. 



Key 




SW1B 


interlocking device 


K1B 


contactor 


SW2 


switch 


PLC 


programmable logic controller 


CC 


current converter 


RS 


rotation sensor 



Figure 1.4 Block diagrams identifying safety-related parts of example B 

1.4.2 Quantification of MTTFd for each channel, DC av g, common cause failure, 
category and PL 

The values for MTTFd for each channel, DC av g and common cause failure are as- 
sumed to be evaluated according to Annexes C, D, E and F, or to be given by the manu- 
facturer. The categories are estimated according to 6.2. 

The switch SW1B has a direct opening action and is used in the positive mode of 
actuation. Therefore, a fault exclusion is made concerning non-opening of a contact 
and non-actuation of the switch due to mechanical failure (e.g. break of plunger, wear 
of the actuating cam, maladjustment). 

NOTE : These assumptions are valid for auxiliary circuit switches according to 
JIS C 8201-5-1, Annex K, and for adequate mechanical fixing and ac- 
tuation of the switches according to the manufacturer's specification (see 
ISO 13849-2). 
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MTTF d 

The contactor K1B is the only element contributing to the MTTFd of the one chan- 
nel. The MTTFkib of 30 years is assumed to be given by the manufacturer. The 
parts count method of D.l yields for the MTTFd of the one channel 

1 (1.2) 



MTTF dC , MTTF dK1B 

which leads to MTTF d = 30 years for the channel. 

In the second channel SW2, PLC and CC are contributing to MTTFdC2. For these 
three components as well as for RS an MTTFd of 20 years is assumed to be given 
by the manufacturer. The parts count method of D.l yields for the MTTFaca of the 
second channel 

1 1 



1 


= 


1 




MTTF dC2 


MTTF 


dSW2 






1 


— + ■ 



MTTF dPLC MTTF dt:c 



1 1 0.15 

(1.3) 



20 years 20 years 20 years years 

which leads to MTTFd = 6.7 years for the channel. 

Because both channels have different MTTFd, the formula of D.2 can be used 
to calculate a substitutional value for a single-channel MTTFd of a symmetrical two- 
channel system. This formula yields MTTFd = 20 years or "medium" for the chan- 
nel according to 4.5,2, table 5. 

DC 

In control circuit B, four of the safety-related parts are tested by the PLC: SW2 
and K1B are read back by the PLC, the PLC performs self- tests and the CC is read 
back via RS by the PLC. The related DC of every tested part are 

1) DCsw2= 60 %, "low", due to monitoring of input signals without dynamic test, 
see table E.l (Input device, EI-3), 

2) DCkib = 99 %, "high", due to normally open and normally closed mechanically 
linked contacts, see table E.l (Input device, EI-2), 

3) DCplc™30 %, "none", due to low effectiveness of self-tests (it is assumed that 
the manufacturer has calculated this value by FMEA), and 

4) DCcc = 90 %, "medium", due to redundant shut-off path with monitoring of the 
actuator by control logic, see table E.l (Output device, EO-6) — if the PLC moni- 
tors a failure of CC, it is able to stop the motion with the safe impulse block- 
ing (additional shut-off path). 

For an estimation of the PL, an average DC value (DCavg) is needed as input for 
figure 5. 
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DC 



SW2 , ^^KIB , *-*^Pl.C l ^^CC 

1 _____ 1 _ _f- . - 



DC, 



DC avg - 



MTTF dsW2 MTTF dK1B MTTF dPLC MTTF^ 



1 1 

- + - 



MTTF dSW2 MTTF dKIB MTTF dPLC MTTF dCC 



0.6 0.99 0.3 0.9 

. + — .+ ■■■■ — - + - 



20 years 30 years 20 years 20 years 0.123 



1 



0.183 



-67.1% (1.4) 



20 years 30 years 20 years 20 years 



Thus, the DC aV g is "low" according to 4.5.3 and table 6. 

CCF 

An estimation of the measures against CCF according to F.2 is assumed to have 
been carried out for control circuit B. Scores are claimed as given in table 1.1. 

Table 1.1 Estimation of the measures against CCF for example B 



No. 


Item 


Score for 
control circuit 


Maximum 
possible score 


1 


Separation/segregation 




Physical separation between signal paths 


15 


15 


2 


Diversity 




Different technologies/design or physical principles are used 


20 


20 


3 


Design/application/experience 


3.1 


Protection against overvoltage, overpressure, overcurrent, etc. 


None 


15 


3.2 


Components used are well-tried 


5 


5 


4 


Assessment/analysis 








Are the results of a failure mode and effect analysis taken into 
account to avoid common cause failures in design? 


5 


5 


5 


Comp etence/tr aining 




Have designers been trained to understand the causes and 
consequences of common cause failures? 


None 


5 


6 


Environmental 


6.1 


Prevention of contamination and electromagnetic compatibility 
(EMC) against CCF in accordance with appropriate standards 


25 


25 


6.2 


Other influences 

Have the requirements for immunity to all relevant environ- 
mental influences, such as temperature, shock, vibration, 
humidity (e.g. as specified in relevant standards) been 
considered? 


10 


10 




Total 


80 


Max. 1.00 



Sufficient measures against CCF require a minium score of 65. In example B ? a 
score of 80 is sufficient to fulfil the requirements against CCF. 
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A single fault in any of the parts does not lead to the loss of the safety function, 
Whenever reasonably practicable the single fault is detected at or before the next de- 
mand upon the safety function. The diagnostic coverage (DC aVK ) is in the range 60 % 
to 90 %. The measures against CCF are sufficient. These characteristics are typical 
for category 3. 

Input data for figure 5: MTTFd for the channel is "medium" (20 years), DC a ^ is "low" 
and category is 3. 

This may be interpreted as performance level c. 

This result matches the required performance level c of 1,2. Thus control circuit B 
meets the requirements for risk reduction of the example application of 1.2. 
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Annex J (informative) 
Software 

J.l Description of example 

In this Annex, exemplary activities for realizing the SRESW of an SRP/CS for PL,- = d 
are presented. The SRP/CS is interfaced with the machine equipment. It ensures 

— the acquisition of information sent by the various sensors, 

— the processing required to operate the control elements taking into account the 
safety requirements, and 

— the control of the actuators. 

The design of the SRESW of this application on function block level is as shown in 
figure J.l. 
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Figure J.l Function block level design of software example 

J.2 Application of V-model of software safety lifecycle 

Table J,l presents an exemplary synthesis of activities and documents on applica- 
tion of V-model of software safety lifecycle for a machine control. 
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Table J.l Activities and documents within software safety lifecycle 



Development activity 


Verification activity 


Associated documentation 


Machine aspect: 
Identification of the functions 
involving the SRP/CS 


Identification of safety-related 
functions 


"Safety-related specification 
for machine control 5 ' 


Architecture aspect: 

Definition of the control architecture 

with sensors and actuators 


Comments upon safety 
characteristics of chosen 
components 


"Definition of the control 
architecture" 


Software specification aspect: 
Transcription of machine functions 
into software functions 


Re-reading of the descriptions 
(see J.3) 


"Software description s" 


Software architecture aspect: 
To detail the functions into 
functional blocks 


Definition of critical blocks 
which are subject to greater 
review and validation effort 


"Function block modelling 71 


Encoding aspect: 
Encoding according to the 
programming rules (see J.4) 


Re-reading of the code. 
Verification of functions and 
compliance with rules. 


"Encoding comments in the 

code' 7 

"Encoding re-reading sheets" 


Validation aspect: 
Making of test scenarios: 

operation aspect of functions 
behaviour-on-failure aspect 


Verification of the test 

covering 

Verification of the test results 


"Correspondence matrix" which 
cross-references specification 
paragraphs and tests 
"Test sheets'' comprising test 
scenario and comments upon 
results achieved 



J.3 Verification of software specification 

As part of the software safety lifecycle, the verification activity at level of the soft- 
ware specification consists in reading the descriptions so as to verify that all. the sen- 
sitive points are properly described. The following* should be considered when verifying 
each function: 

— limiting the cases of erroneous interpretation of the system specification; 

— avoiding gaps in specification resulting in an a priori unknown behaviour of the 
SRP/CS; 

— precisely defining conditions for activation and de-activation of functions; 

— precisely guaranteeing that all the possible cases are handled; 
— - consistency tests; 

— the different parameterizing cases; 

— the reaction following a failure. 

J.4 Example of programming rules 

For the CCF ? in general it should be possible to authenticate the program by au- 
thor, date of loading, version and last type of access. Concerning the programming 
rules the following rules can be differentiated. 
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a) Programming rules at level of the program structure The programming 
should be structured so as to display a consistent and understandable general 
skeleton allowing the different processings to be easily localized. This implies 

1) use of templates for typical program or function blocks, 

2) partitioning of the program into segments in order to identify main parts cor- 
responding to "inputs", "processings" and "outputs", 

3) comments on each program section in the source of the program to facilitate the 
updating of the comment in case of modification, 

4) description of the role a function block has when calling this block, 

5) that memory location should be used only by one single kind of data type and 
be marked by unique labels, and 

6) that the working sequence should not depend on variables such as a jump ad- 
dress calculated at runtime of the program, conditional jumps being authorized. 

b) Programming rules regarding the use of variables 

— - The activation or de-activation of any output should take place only once (cen- 
tralized conditions). 

— The program should be structured such that the equations for updating a vari- 
able are centralized. 

— Each global variable, input or output, should have a mnemonic name explicit 
enough and be described by a comment within the source, 

c) Programming rules at level of a function block 

— Preferably use function blocks that have been validated by the supplier of the 
SRP/CS, checking that the assumed operating conditions for these validated blocks 
correspond to the conditions of the program. 

— The size of the coded block should be limited to the following guideline values: 

1) parameters — maximum eight digital and two integer inputs, one output; 

2) function code — maximum ten local variables, maximum 20 Boolean equations. 

— The function blocks should not modify the global variables. 

— A digital value should be controlled relative to pre-set benchmarks to ensure the 
domain of validity. 

— A function block should try to detect inconsistencies of variables to be processed. 

— The fault code of a block should be accessible to discriminate a fault among others. 

— The fault codes and the state of the block after fault detection should be described 
by comments. 

— The resetting of the block or the restoration of a normal state should be described 
by comments. 
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Annex K (informative) 
Numerical representation of figure 5 

For MTTFd, DC, categories and PL in figure 5, see table K.l. 
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Table K.1 Numerical representation of figure 5 
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